wazuh / wazuh-installation-assistant

Wazuh - Installation assistant
https://wazuh.com/
GNU General Public License v2.0
1 stars 3 forks source link

Consider to increase the `wazuh-cert-tool.sh` RSA-2048 and SHA-256 to 4096 and 512 #6

Open alberpilot opened 2 years ago

alberpilot commented 2 years ago

The Wazuh certificates creation tool uses the cipher algorithms RSA 2048 and SHA 256. It's time to analyze if we can upgrade them to 4096 and 512 respectively.

davidcr01 commented 7 months ago

Update Report

PoC

Before applying this changes, it is necessary to check if the Wazuh central components are running correctly. As a Proof of Concept test, I deployed an AIO installation with the Installation assistant.

Installation log ```console root@ubuntu22:/home/vagrant# cat /var/log/wazuh-install.log 05/04/2024 09:11:04 DEBUG: Checking root permissions. 05/04/2024 09:11:04 DEBUG: Checking sudo package. 05/04/2024 09:11:04 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 05/04/2024 09:11:04 INFO: Verbose logging redirected to /var/log/wazuh-install.log 05/04/2024 09:11:04 DEBUG: APT package manager will be used. 05/04/2024 09:11:04 DEBUG: Checking system distribution. 05/04/2024 09:11:04 DEBUG: Detected distribution name: ubuntu 05/04/2024 09:11:04 DEBUG: Detected distribution version: 22 05/04/2024 09:11:04 DEBUG: Installing check dependencies. Hit:1 http://archive.ubuntu.com/ubuntu jammy InRelease Get:2 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB] Get:3 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [109 kB] Get:4 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [14.1 MB] Get:5 http://archive.ubuntu.com/ubuntu jammy/universe Translation-en [5652 kB] Get:6 http://archive.ubuntu.com/ubuntu jammy/universe amd64 c-n-f Metadata [286 kB] Get:7 http://archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [217 kB] Get:8 http://archive.ubuntu.com/ubuntu jammy/multiverse Translation-en [112 kB] Get:9 http://archive.ubuntu.com/ubuntu jammy/multiverse amd64 c-n-f Metadata [8372 B] Get:10 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [1519 kB] Get:11 http://archive.ubuntu.com/ubuntu jammy-updates/main Translation-en [293 kB] Get:12 http://archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages [1648 kB] Get:13 http://archive.ubuntu.com/ubuntu jammy-updates/restricted Translation-en [275 kB] Get:14 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [1060 kB] Get:15 http://archive.ubuntu.com/ubuntu jammy-updates/universe Translation-en [241 kB] Get:16 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 c-n-f Metadata [22.1 kB] Get:17 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 Packages [49.6 kB] Get:18 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse Translation-en [12.0 kB] Get:19 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 c-n-f Metadata [472 B] Get:20 http://archive.ubuntu.com/ubuntu jammy-backports/main amd64 Packages [67.1 kB] Get:21 http://archive.ubuntu.com/ubuntu jammy-backports/main Translation-en [11.0 kB] Get:22 http://archive.ubuntu.com/ubuntu jammy-backports/main amd64 c-n-f Metadata [388 B] Get:23 http://archive.ubuntu.com/ubuntu jammy-backports/restricted amd64 c-n-f Metadata [116 B] Get:24 http://archive.ubuntu.com/ubuntu jammy-backports/universe amd64 Packages [28.4 kB] Get:25 http://archive.ubuntu.com/ubuntu jammy-backports/universe Translation-en [16.2 kB] Get:26 http://archive.ubuntu.com/ubuntu jammy-backports/universe amd64 c-n-f Metadata [644 B] Get:27 http://archive.ubuntu.com/ubuntu jammy-backports/multiverse amd64 c-n-f Metadata [116 B] Get:28 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB] Get:29 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [1303 kB] Get:30 http://security.ubuntu.com/ubuntu jammy-security/main Translation-en [233 kB] Get:31 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 Packages [1616 kB] Get:32 http://security.ubuntu.com/ubuntu jammy-security/restricted Translation-en [271 kB] Get:33 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages [852 kB] Get:34 http://security.ubuntu.com/ubuntu jammy-security/universe Translation-en [163 kB] Get:35 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 c-n-f Metadata [16.8 kB] Get:36 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 Packages [37.1 kB] Get:37 http://security.ubuntu.com/ubuntu jammy-security/multiverse Translation-en [7476 B] Get:38 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 c-n-f Metadata [260 B] Fetched 13.3 MB in 16s (819 kB/s) Reading package lists... 05/04/2024 09:11:32 DEBUG: Checking Wazuh installation. 05/04/2024 09:11:34 DEBUG: Checking system architecture. 05/04/2024 09:11:34 WARNING: Hardware and system checks ignored. 05/04/2024 09:11:34 INFO: Wazuh web interface port will be 443. 05/04/2024 09:11:35 DEBUG: Checking ports availability. Hit:1 http://security.ubuntu.com/ubuntu jammy-security InRelease Hit:2 http://archive.ubuntu.com/ubuntu jammy InRelease Hit:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease Hit:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease Reading package lists... 05/04/2024 09:11:38 DEBUG: Installing prerequisites dependencies. 05/04/2024 09:11:42 INFO: --- Dependencies ---- 05/04/2024 09:11:42 INFO: Installing apt-transport-https. Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: apt-transport-https 0 upgraded, 1 newly installed, 0 to remove and 72 not upgraded. Need to get 1510 B of archives. After this operation, 170 kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 apt-transport-https all 2.4.12 [1510 B] Fetched 1510 B in 0s (3655 B/s) Selecting previously u NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.15.0-92-generic NEEDRESTART-KEXP: 5.15.0-92-generic NEEDRESTART-KSTA: 1 05/04/2024 09:11:48 INFO: Installing debhelper. Reading package lists... Building dependency tree... Reading state information... The following additional packages will be installed: autoconf automake autopoint autotools-dev build-essential bzip2 cpp cpp-11 debugedit dh-autoreconf dh-strip-nondeterminism dpkg-dev dwz fakeroot fontconfig-config fonts-dejavu-core g++ g++-11 gcc gcc-11 gcc-11-base gettext intltool-debian libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libarchive-cpio-perl libarchive-zip-perl libasan6 libatomic1 libc-dev-bin libc-devtools libc6-dev libcc1-0 libcrypt-dev libdebhelper-perl libdeflate0 libdpkg-perl libfakeroot libfile-fcntllock-perl libfile-stripnondeterminism-perl libfontconfig1 libgcc-11-dev libgd3 libgomp1 libisl23 libitm1 libjbig0 libjpeg-turbo8 libjpeg8 liblsan0 libltdl-dev libltdl7 libmail-sendmail-perl libmpc3 libnsl-dev libquadmath0 libstdc++-11-dev libsub-override-perl libsys-hostname-long-perl libtiff5 libtirpc-dev libtool libtsan0 libubsan1 libwebp7 libxpm4 linux-libc-dev lto-disabled-list m4 make manpages-dev po-debconf rpcsvc-proto Suggested packages: autoconf-archive gnu-standards autoconf-doc bzip2-doc cpp-doc gcc-11-locales dh-make debian-keyring g++-multilib g++-11-multilib gcc-11-doc gcc-multilib flex bison gdb gcc-doc gcc-11-multilib gettext-doc libasprintf-dev libgettextpo-dev glibc-doc bzr libgd-tools libtool-doc libstdc++-11-doc gfortran | fortran95-compiler gcj-jdk m4-doc make-doc libmail-box-perl The following NEW packages will be installed: autoconf automake autopoint autotools-dev build-essential bzip2 cpp cpp-11 debhelper debugedit dh-autoreconf dh-strip-nondeterminism dpkg-dev dwz fakeroot fontconfig-config fonts-dejavu-core g++ g++-11 gcc gcc-11 gcc-11-base gettext intltool-debian libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libarchive-cpio-perl libarchive-zip-perl libasan6 libatomic1 libc-dev-bin libc-devtools libc6-dev libcc1-0 libcrypt-dev libdebhelper-perl libdeflate0 libdpkg-perl libfakeroot libfile-fcntllock-perl libfile-stripnondeterminism-perl libfontconfig1 libgcc-11-dev libgd3 libgomp1 libisl23 libitm1 libjbig0 libjpeg-turbo8 libjpeg8 liblsan0 libltdl-dev libltdl7 libmail-sendmail-perl libmpc3 libnsl-dev libquadmath0 libstdc++-11-dev libsub-override-perl libsys-hostname-long-perl libtiff5 libtirpc-dev libtool libtsan0 libubsan1 libwebp7 libxpm4 linux-libc-dev lto-disabled-list m4 make manpages-dev po-debconf rpcsvc-proto 0 upgraded, 75 newly installed, 0 to remove and 72 not upgraded. Need to get 68.2 MB of archives. After this operation, 221 MB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu jammy/main amd64 m4 amd64 1.4.18-5ubuntu2 [199 kB] Get:2 http://archive.ubuntu.com/ubuntu jammy/main amd64 autoconf all 2.71-2 [338 kB] Get:3 http://archive.ubuntu.com/ubuntu jammy/main amd64 autotools-dev all 20220109.1 [44.9 kB] Get:4 http://archive.ubuntu.com/ubuntu jammy/main amd64 automake all 1:1.16.5-1.3 [558 kB] Get:5 http://archive.ubuntu.com/ubuntu jammy/main amd64 autopoint all 0.21-4ubuntu4 [422 kB] Get:6 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libc-dev-bin amd64 2.35-0ubuntu3.6 [20.3 kB] Get:7 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 linux-libc-dev amd64 5.15.0-101.111 [1333 kB] Get:8 http://archive.ubuntu.com/ubuntu jammy/main amd64 libcrypt-dev amd64 1:4.4.27-1 [112 kB] Get:9 http://archive.ubuntu.com/ubuntu jammy/main amd64 rpcsvc-proto amd64 1.4.2-0ubuntu6 [68.5 kB] Get:10 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libtirpc-dev amd64 1.3.2-2ubuntu0.1 [192 kB] Get:11 http://archive.ubuntu.com/ubuntu jammy/main amd64 libnsl-dev amd64 1.3.0-2build2 [71.3 kB] Get:12 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libc6-dev amd64 2.35-0ubuntu3.6 [2100 kB] Get:13 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 gcc-11-base amd64 11.4.0-1ubuntu1~22.04 [20.2 kB] Get:14 http://archive.ubuntu.com/ubuntu jammy/main amd64 libisl23 amd64 0.24-2build1 [727 kB] Get:15 http://archive.ubuntu.com/ubuntu jammy/main amd64 libmpc3 amd64 1.2.1-2build1 [46.9 kB] Get:16 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 cpp-11 amd64 11.4.0-1ubuntu1~22.04 [10.0 MB] Get:17 http://archive.ubuntu.com/ubuntu jammy/main amd64 cpp amd64 4:11.2.0-1ubuntu1 [27.7 kB] Get:18 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libcc1-0 amd64 12.3.0-1ubuntu1~22.04 [48.3 kB] Get:19 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libgomp1 amd64 12.3.0-1ubuntu1~22.04 [126 kB] Get:20 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libitm1 amd64 12.3.0-1ubuntu1~22.04 [30.2 kB] Get:21 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libatomic1 amd64 12.3.0-1ubuntu1~22.04 [10.4 kB] Get:22 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libasan6 amd64 11.4.0-1ubuntu1~22.04 [2282 kB] Get:23 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 liblsan0 amd64 12.3.0-1ubuntu1~22.04 [1069 kB] Get:24 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libtsan0 amd64 11.4.0-1ubuntu1~22.04 [2260 kB] Get:25 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libubsan1 amd64 12.3.0-1ubuntu1~22.04 [976 kB] Get:26 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libquadmath0 amd64 12.3.0-1ubuntu1~22.04 [154 kB] Get:27 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libgcc-11-dev amd64 11.4.0-1ubuntu1~22.04 [2517 kB] Get:28 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 gcc-11 amd64 11.4.0-1ubuntu1~22.04 [20.1 MB] Get:29 http://archive.ubuntu.com/ubuntu jammy/main amd64 gcc amd64 4:11.2.0-1ubuntu1 [5112 B] Get:30 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libstdc++-11-dev amd64 11.4.0-1ubuntu1~22.04 [2101 kB] Get:31 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 g++-11 amd64 11.4.0-1ubuntu1~22.04 [11.4 MB] Get:32 http://archive.ubuntu.com/ubuntu jammy/main amd64 g++ amd64 4:11.2.0-1ubuntu1 [1412 B] Get:33 http://archive.ubuntu.com/ubuntu jammy/main amd64 make amd64 4.3-4.1build1 [180 kB] Get:34 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libdpkg-perl all 1.21.1ubuntu2.3 [237 kB] Get:35 http://archive.ubuntu.com/ubuntu jammy/main amd64 bzip2 amd64 1.0.8-5build1 [34.8 kB] Get:36 http://archive.ubuntu.com/ubuntu jammy/main amd64 lto-disabled-list all 24 [12.5 kB] Get:37 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 dpkg-dev all 1.21.1ubuntu2.3 [922 kB] Get:38 http://archive.ubuntu.com/ubuntu jammy/main amd64 build-essential amd64 12.9ubuntu3 [4744 B] Get:39 http://archive.ubuntu.com/ubuntu jammy/main amd64 libdebhelper-perl all 13.6ubuntu1 [67.2 kB] Get:40 http://archive.ubuntu.com/ubuntu jammy/main amd64 libtool all 2.4.6-15build2 [164 kB] Get:41 http://archive.ubuntu.com/ubuntu jammy/main amd64 dh-autoreconf all 20 [16.1 kB] Get:42 http://archive.ubuntu.com/ubuntu jammy/main amd64 libarchive-zip-perl all 1.68-1 [90.2 kB] Get:43 http://archive.ubuntu.com/ubuntu jammy/main amd64 libsub-override-perl all 0.09-2 [9532 B] Get:44 http://archive.ubuntu.com/ubuntu jammy/main amd64 libfile-stripnondeterminism-perl all 1.13.0-1 [18.1 kB] Get:45 http://archive.ubuntu.com/ubuntu jammy/main amd64 dh-strip-nondeterminism all 1.13.0-1 [5344 B] Get:46 http://archive.ubuntu.com/ubuntu jammy/main amd64 debugedit amd64 1:5.0-4build1 [47.2 kB] Get:47 http://archive.ubuntu.com/ubuntu jammy/main amd64 dwz amd64 0.14-1build2 [105 kB] Get:48 http://archive.ubuntu.com/ubuntu jammy/main amd64 gettext amd64 0.21-4ubuntu4 [868 kB] Get:49 http://archive.ubuntu.com/ubuntu jammy/main amd64 intltool-debian all 0.35.0+20060710.5 [24.9 kB] Get:50 http://archive.ubuntu.com/ubuntu jammy/main amd64 po-debconf all 1.0.21+nmu1 [233 kB] Get:51 http://archive.ubuntu.com/ubuntu jammy/main amd64 debhelper all 13.6ubuntu1 [923 kB] Get:52 http://archive.ubuntu.com/ubuntu jammy/main amd64 libfakeroot amd64 1.28-1ubuntu1 [31.5 kB] Get:53 http://archive.ubuntu.com/ubuntu jammy/main amd64 fakeroot amd64 1.28-1ubuntu1 [60.4 kB] Get:54 http://archive.ubuntu.com/ubuntu jammy/main amd64 fonts-dejavu-core all 2.37-2build1 [1041 kB] Get:55 http://archive.ubuntu.com/ubuntu jammy/main amd64 fontconfig-config all 2.13.1-4.2ubuntu5 [29.1 kB] Get:56 http://archive.ubuntu.com/ubuntu jammy/main amd64 libalgorithm-diff-perl all 1.201-1 [41.8 kB] Get:57 http://archive.ubuntu.com/ubuntu jammy/main amd64 libalgorithm-diff-xs-perl amd64 0.04-6build3 [11.9 kB] Get:58 http://archive.ubuntu.com/ubuntu jammy/main amd64 libalgorithm-merge-perl all 0.08-3 [12.0 kB] Get:59 http://archive.ubuntu.com/ubuntu jammy/main amd64 libarchive-cpio-perl all 0.10-1.1 [9928 B] Get:60 http://archive.ubuntu.com/ubuntu jammy/main amd64 libfontconfig1 amd64 2.13.1-4.2ubuntu5 [131 kB] Get:61 http://archive.ubuntu.com/ubuntu jammy/main amd64 libjpeg-turbo8 amd64 2.1.2-0ubuntu1 [134 kB] Get:62 http://archive.ubuntu.com/ubuntu jammy/main amd64 libjpeg8 amd64 8c-2ubuntu10 [2264 B] Get:63 http://archive.ubuntu.com/ubuntu jammy/main amd64 libdeflate0 amd64 1.10-2 [70.9 kB] Get:64 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libjbig0 amd64 2.1-3.1ubuntu0.22.04.1 [29.2 kB] Get:65 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libwebp7 amd64 1.2.2-2ubuntu0.22.04.2 [206 kB] Get:66 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libtiff5 amd64 4.3.0-6ubuntu0.8 [185 kB] Get:67 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libxpm4 amd64 1:3.5.12-1ubuntu0.22.04.2 [36.7 kB] Get:68 http://archive.ubuntu.com/ubuntu jammy/main amd64 libgd3 amd64 2.3.0-2ubuntu2 [129 kB] Get:69 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libc-devtools amd64 2.35-0ubuntu3.6 [29.0 kB] Get:70 http://archive.ubuntu.com/ubuntu jammy/main amd64 libfile-fcntllock-perl amd64 0.22-3build7 [33.9 kB] Get:71 http://archive.ubuntu.com/ubuntu jammy/main amd64 libltdl7 amd64 2.4.6-15build2 [39.6 kB] Get:72 http://archive.ubuntu.com/ubuntu jammy/main amd64 libltdl-dev amd64 2.4.6-15build2 [169 kB] Get:73 http://archive.ubuntu.com/ubuntu jammy/main amd64 libsys-hostname-long-perl all 1.5-2 [11.5 kB] Get:74 http://archive.ubuntu.com/ubuntu jammy/main amd64 libmail-sendmail-perl all 0.80-1.1 [22.7 kB] Get:75 http://archi NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.15.0-92-generic NEEDRESTART-KEXP: 5.15.0-92-generic NEEDRESTART-KSTA: 1 Selecting previously unselected package m4. 05/04/2024 09:12:36 DEBUG: Checking curl tool version. 05/04/2024 09:12:36 DEBUG: Adding the Wazuh repository. gpg: keyring '/usr/share/keyrings/wazuh.gpg' created gpg: directory '/root/.gnupg' created gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) " imported gpg: Total number processed: 1 gpg: imported: 1 deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main Hit:1 http://security.ubuntu.com/ubuntu jammy-security InRelease Hit:2 http://archive.ubuntu.com/ubuntu jammy InRelease Hit:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease Hit:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease Get:5 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB] Get:6 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 Packages [37.1 kB] Fetched 54.4 kB in 2s (29.2 kB/s) Reading package lists... 05/04/2024 09:12:40 INFO: Wazuh development repository added. 05/04/2024 09:12:40 INFO: --- Configuration files --- 05/04/2024 09:12:40 INFO: Generating configuration files. 05/04/2024 09:12:41 DEBUG: Creating Wazuh certificates. 05/04/2024 09:12:41 DEBUG: Reading configuration file. 05/04/2024 09:12:41 DEBUG: Checking if 127.0.0.1 is private. 05/04/2024 09:12:41 DEBUG: Checking if 127.0.0.1 is private. 05/04/2024 09:12:41 DEBUG: Checking if 127.0.0.1 is private. 05/04/2024 09:12:41 INFO: Generating the root certificate. 05/04/2024 09:12:41 INFO: Generating Admin certificates. 05/04/2024 09:12:41 DEBUG: Generating Admin private key. 05/04/2024 09:12:41 DEBUG: Converting Admin private key to PKCS8 format. 05/04/2024 09:12:41 DEBUG: Generating Admin CSR. 05/04/2024 09:12:41 DEBUG: Creating Admin certificate. 05/04/2024 09:12:41 INFO: Generating Wazuh indexer certificates. 05/04/2024 09:12:41 DEBUG: Creating the certificates for wazuh-indexer indexer node. 05/04/2024 09:12:41 DEBUG: Generating certificate configuration. 05/04/2024 09:12:41 DEBUG: Creating the Wazuh indexer tmp key pair. 05/04/2024 09:12:42 DEBUG: Creating the Wazuh indexer certificates. 05/04/2024 09:12:42 INFO: Generating Filebeat certificates. 05/04/2024 09:12:42 DEBUG: Generating the certificates for wazuh-server server node. 05/04/2024 09:12:42 DEBUG: Generating certificate configuration. 05/04/2024 09:12:42 DEBUG: Creating the Wazuh server tmp key pair. 05/04/2024 09:12:42 DEBUG: Creating the Wazuh server certificates. 05/04/2024 09:12:42 INFO: Generating Wazuh dashboard certificates. 05/04/2024 09:12:42 DEBUG: Generating certificate configuration. 05/04/2024 09:12:42 DEBUG: Creating the Wazuh dashboard tmp key pair. 05/04/2024 09:12:42 DEBUG: Creating the Wazuh dashboard certificates. 05/04/2024 09:12:42 DEBUG: Cleaning certificate files. 05/04/2024 09:12:42 DEBUG: Generating password file. 05/04/2024 09:12:42 DEBUG: Generating random passwords. 05/04/2024 09:12:43 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 05/04/2024 09:12:43 DEBUG: Extracting Wazuh configuration. 05/04/2024 09:12:43 DEBUG: Reading configuration file. 05/04/2024 09:12:43 DEBUG: Checking if 127.0.0.1 is private. 05/04/2024 09:12:43 DEBUG: Checking if 127.0.0.1 is private. 05/04/2024 09:12:43 DEBUG: Checking if 127.0.0.1 is private. 05/04/2024 09:12:43 INFO: --- Wazuh indexer --- 05/04/2024 09:12:43 INFO: Starting Wazuh indexer installation. Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: wazuh-indexer 0 upgraded, 1 newly installed, 0 to remove and 72 not upgraded. Need to get 758 MB of archives. After this operation, 1050 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-indexer amd64 4.8.0-1 [758 MB] Fetched 758 MB in 3min 1s (4188 kB/s) Selecting previousl NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.15.0-92-generic NEEDRESTART-KEXP: 5.15.0-92-generic NEEDRESTART-KSTA: 1 05/04/2024 09:16:41 DEBUG: Checking Wazuh installation. 05/04/2024 09:16:42 DEBUG: There are Wazuh indexer remaining files. 05/04/2024 09:16:42 INFO: Wazuh indexer installation finished. 05/04/2024 09:16:42 DEBUG: Configuring Wazuh indexer. 05/04/2024 09:16:42 DEBUG: Copying Wazuh indexer certificates. 05/04/2024 09:16:42 INFO: Wazuh indexer post-install configuration finished. 05/04/2024 09:16:42 INFO: Starting service wazuh-indexer. Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service → /lib/systemd/system/wazuh-indexer.service. 05/04/2024 09:17:03 INFO: wazuh-indexer service started. 05/04/2024 09:17:03 INFO: Initializing Wazuh indexer cluster security settings. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index does not exists, attempt to create it ... done (0-all replicas) Populate config from /etc/wazuh-indexer/opensearch-security/ Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml SUCC: Configuration for 'config' created or updated Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml SUCC: Configuration for 'roles' created or updated Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml SUCC: Configuration for 'rolesmapping' created or updated Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml SUCC: Configuration for 'internalusers' created or updated Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml SUCC: Configuration for 'actiongroups' created or updated Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml SUCC: Configuration for 'tenants' created or updated Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml SUCC: Configuration for 'nodesdn' created or updated Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml SUCC: Configuration for 'whitelist' created or updated Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml SUCC: Configuration for 'audit' created or updated Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml SUCC: Configuration for 'allowlist' created or updated SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null Done with success 05/04/2024 09:17:14 INFO: Wazuh indexer cluster security configuration initialized. 05/04/2024 09:17:14 INFO: Wazuh indexer cluster initialized. 05/04/2024 09:17:14 INFO: --- Wazuh server --- 05/04/2024 09:17:14 INFO: Starting the Wazuh manager installation. Reading package lists... Building dependency tree... Reading state information... Suggested packages: expect The following NEW packages will be installed: wazuh-manager 0 upgraded, 1 newly installed, 0 to remove and 72 not upgraded. Need to get 309 MB of archives. After this operation, 912 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-manager amd64 4.8.0-1 [309 MB] Fetched 309 MB in 51s (6088 kB/ NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.15.0-92-generic NEEDRESTART-KEXP: 5.15.0-92-generic NEEDRESTART-KSTA: 1 05/04/2024 09:19:19 DEBUG: Checking Wazuh installation. 05/04/2024 09:19:20 DEBUG: There are Wazuh remaining files. 05/04/2024 09:19:20 DEBUG: There are Wazuh indexer remaining files. 05/04/2024 09:19:21 INFO: Wazuh manager installation finished. 05/04/2024 09:19:21 DEBUG: Configuring Wazuh manager. 05/04/2024 09:19:21 DEBUG: Setting provisional Wazuh indexer password. 05/04/2024 09:19:21 INFO: Wazuh manager vulnerability detection configuration finished. 05/04/2024 09:19:21 INFO: Starting service wazuh-manager. Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /lib/systemd/system/wazuh-manager.service. 05/04/2024 09:19:44 INFO: wazuh-manager service started. 05/04/2024 09:19:44 INFO: Starting Filebeat installation. Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: filebeat 0 upgraded, 1 newly installed, 0 to remove and 72 not upgraded. Need to get 22.1 MB of archives. After this operation, 73.6 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 filebeat amd64 7.10.2 [22.1 MB] Fetched 22.1 MB in 5s (4083 kB/s) Selecting previously unselected NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.15.0-92-generic NEEDRESTART-KEXP: 5.15.0-92-generic NEEDRESTART-KSTA: 1 05/04/2024 09:20:10 DEBUG: Checking Wazuh installation. 05/04/2024 09:20:11 DEBUG: There are Wazuh remaining files. 05/04/2024 09:20:11 DEBUG: There are Wazuh indexer remaining files. 05/04/2024 09:20:12 DEBUG: There are Filebeat remaining files. 05/04/2024 09:20:13 INFO: Filebeat installation finished. 05/04/2024 09:20:13 DEBUG: Configuring Filebeat. 05/04/2024 09:20:14 DEBUG: Filebeat template was download successfully. wazuh/ wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/fields.yml wazuh/_meta/config.yml wazuh/alerts/ wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/manifest.yml wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json wazuh/module.yml wazuh/archives/ wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/manifest.yml wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json 05/04/2024 09:20:15 DEBUG: Filebeat module was downloaded successfully. 05/04/2024 09:20:15 DEBUG: Copying Filebeat certificates. Created filebeat keystore Successfully updated the keystore Successfully updated the keystore 05/04/2024 09:20:22 INFO: Filebeat post-install configuration finished. 05/04/2024 09:20:22 INFO: Starting service filebeat. Synchronizing state of filebeat.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable filebeat Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /lib/systemd/system/filebeat.service. 05/04/2024 09:20:25 INFO: filebeat service started. 05/04/2024 09:20:25 INFO: --- Wazuh dashboard --- 05/04/2024 09:20:25 INFO: Starting Wazuh dashboard installation. Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: wazuh-dashboard 0 upgraded, 1 newly installed, 0 to remove and 72 not upgraded. Need to get 186 MB of archives. After this operation, 987 MB of additional disk space will be used. Get:1 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 wazuh-dashboard amd64 4.8.0-1 [186 MB] Fetched 186 MB in 41s (4547 kB/s) Selecting previously NEEDRESTART-VER: 3.5 NEEDRESTART-KCUR: 5.15.0-92-generic NEEDRESTART-KEXP: 5.15.0-92-generic NEEDRESTART-KSTA: 1 05/04/2024 09:22:24 DEBUG: Checking Wazuh installation. 05/04/2024 09:22:25 DEBUG: There are Wazuh remaining files. 05/04/2024 09:22:25 DEBUG: There are Wazuh indexer remaining files. 05/04/2024 09:22:26 DEBUG: There are Filebeat remaining files. 05/04/2024 09:22:26 DEBUG: There are Wazuh dashboard remaining files. 05/04/2024 09:22:26 INFO: Wazuh dashboard installation finished. 05/04/2024 09:22:26 DEBUG: Configuring Wazuh dashboard. 05/04/2024 09:22:26 DEBUG: Copying Wazuh dashboard certificates. 05/04/2024 09:22:26 DEBUG: Wazuh dashboard certificate setup finished. 05/04/2024 09:22:26 INFO: Wazuh dashboard post-install configuration finished. 05/04/2024 09:22:26 INFO: Starting service wazuh-dashboard. Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service → /etc/systemd/system/wazuh-dashboard.service. 05/04/2024 09:22:27 INFO: wazuh-dashboard service started. 05/04/2024 09:22:27 DEBUG: Setting Wazuh indexer cluster passwords. 05/04/2024 09:22:27 DEBUG: Checking Wazuh installation. 05/04/2024 09:22:28 DEBUG: There are Wazuh remaining files. 05/04/2024 09:22:28 DEBUG: There are Wazuh indexer remaining files. 05/04/2024 09:22:29 DEBUG: There are Filebeat remaining files. 05/04/2024 09:22:29 DEBUG: There are Wazuh dashboard remaining files. 05/04/2024 09:22:29 INFO: Updating the internal users. 05/04/2024 09:22:29 DEBUG: Creating password backup. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml 05/04/2024 09:22:38 DEBUG: Password backup created in /etc/wazuh-indexer/backup. 05/04/2024 09:22:38 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 05/04/2024 09:22:38 DEBUG: The internal users have been updated before changing the passwords. 05/04/2024 09:22:40 DEBUG: Generating password hashes. 05/04/2024 09:22:48 DEBUG: Password hashes generated. 05/04/2024 09:22:48 DEBUG: Creating password backup. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml SUCC: Configuration for 'config' stored in /etc/wazuh-indexer/backup/config.yml Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml SUCC: Configuration for 'roles' stored in /etc/wazuh-indexer/backup/roles.yml Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml SUCC: Configuration for 'rolesmapping' stored in /etc/wazuh-indexer/backup/roles_mapping.yml Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' stored in /etc/wazuh-indexer/backup/internal_users.yml Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml SUCC: Configuration for 'actiongroups' stored in /etc/wazuh-indexer/backup/action_groups.yml Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml SUCC: Configuration for 'tenants' stored in /etc/wazuh-indexer/backup/tenants.yml Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml SUCC: Configuration for 'audit' stored in /etc/wazuh-indexer/backup/audit.yml 05/04/2024 09:22:52 DEBUG: Password backup created in /etc/wazuh-indexer/backup. Successfully updated the keystore 05/04/2024 09:22:52 DEBUG: Restarting filebeat service... 05/04/2024 09:22:53 DEBUG: filebeat started. 05/04/2024 09:22:53 DEBUG: Restarting wazuh-manager service... 05/04/2024 09:23:23 DEBUG: wazuh-manager started. 05/04/2024 09:23:25 DEBUG: Restarting wazuh-dashboard service... 05/04/2024 09:23:25 DEBUG: wazuh-dashboard started. 05/04/2024 09:23:25 DEBUG: Running security admin tool. 05/04/2024 09:23:25 DEBUG: Loading new passwords changes. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Populate config from /home/vagrant Force type: internalusers Will update '/internalusers' with /etc/wazuh-indexer/backup/internal_users.yml SUCC: Configuration for 'internalusers' created or updated SUCC: Expected 1 config types for node {"updated_config_types":["internalusers"],"updated_config_size":1,"message":null} is 1 (["internalusers"]) due to: null Done with success 05/04/2024 09:23:32 DEBUG: Passwords changed. 05/04/2024 09:23:32 DEBUG: Changing API passwords. 05/04/2024 09:23:42 INFO: Initializing Wazuh dashboard web application. 05/04/2024 09:23:42 INFO: Wazuh dashboard web application not yet initialized. Waiting... 05/04/2024 09:23:57 INFO: Wazuh dashboard web application not yet initialized. Waiting... 05/04/2024 09:24:12 INFO: Wazuh dashboard web application initialized. 05/04/2024 09:24:12 DEBUG: Restoring Wazuh repository. 05/04/2024 09:24:13 INFO: Installation finished. ```
Wazuh manager log Some errors like the following are generated: ```console 2024/04/05 09:19:41 indexer-connector: WARNING: Error initializing IndexerConnector for index 'wazuh-states-vulnerabilities': Failed to initialize template for index 'wazuh-states-vulnerabilities'. Error: Failed to initialize template for index 'wazuh-states-vulnerabilities'. Error: Problem with the local SSL certificate. Retrying in 2 seconds. Maximum wait time: 60 seconds. ``` I beleive that this error is not related to the certificate change. It is related to a time condition between the Wazuh indexer and the Wazuh manager. Then, this warnings stop generating. ``` 2024/04/05 09:20:44 indexer-connector: INFO: IndexerConnector initialized. ``` ```console root@ubuntu22:/home/vagrant# cat /var/ossec/logs/ossec.log 2024/04/05 09:19:26 wazuh-modulesd:router: INFO: Loaded router module. 2024/04/05 09:19:26 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. 2024/04/05 09:19:32 wazuh-csyslogd: INFO: Remote syslog server not configured. Clean exit. 2024/04/05 09:19:32 wazuh-dbd: INFO: Database not configured. Clean exit. 2024/04/05 09:19:32 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. 2024/04/05 09:19:32 wazuh-agentlessd: INFO: Not configured. Exiting. 2024/04/05 09:19:32 wazuh-authd: INFO: Started (pid: 50958). 2024/04/05 09:19:32 wazuh-authd: INFO: Accepting connections on port 1515. No password required. 2024/04/05 09:19:32 wazuh-authd: INFO: Setting network timeout to 1.000000 sec. 2024/04/05 09:19:33 wazuh-db: INFO: Started (pid: 50974). 2024/04/05 09:19:33 wazuh-db: INFO: Created Global database backup "backup/db/global.db-backup-2024-04-05-09:19:33.gz" 2024/04/05 09:19:34 wazuh-execd: INFO: Started (pid: 50999). 2024/04/05 09:19:36 wazuh-analysisd: INFO: Total rules enabled: '6786' 2024/04/05 09:19:36 wazuh-analysisd: INFO: Started (pid: 51022). 2024/04/05 09:19:36 wazuh-syscheckd: INFO: Started (pid: 51035). 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab' 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny' 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics' 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed' 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed' 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime' 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs' 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx' 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx' 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs' 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates' 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile' 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$' 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key' 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6000): Starting daemon... 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds 2024/04/05 09:19:36 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started. 2024/04/05 09:19:36 wazuh-analysisd: INFO: EPS limit disabled 2024/04/05 09:19:36 wazuh-analysisd: INFO: (7200): Logtest started 2024/04/05 09:19:36 rootcheck: INFO: Starting rootcheck scan. 2024/04/05 09:19:37 wazuh-remoted: INFO: Started (pid: 51082). Listening on port 1514/TCP (secure). 2024/04/05 09:19:37 wazuh-remoted: INFO: (1410): Reading authentication keys file. 2024/04/05 09:19:39 wazuh-logcollector: INFO: Monitoring output of command(360): df -P 2024/04/05 09:19:39 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d 2024/04/05 09:19:39 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20 2024/04/05 09:19:39 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'. 2024/04/05 09:19:39 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/auth.log'. 2024/04/05 09:19:39 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/syslog'. 2024/04/05 09:19:39 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'. 2024/04/05 09:19:39 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/kern.log'. 2024/04/05 09:19:39 wazuh-logcollector: INFO: Started (pid: 51117). 2024/04/05 09:19:40 wazuh-monitord: INFO: Started (pid: 51135). 2024/04/05 09:19:41 wazuh-modulesd:router: INFO: Loaded router module. 2024/04/05 09:19:41 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. 2024/04/05 09:19:41 wazuh-modulesd: INFO: Started (pid: 51157). 2024/04/05 09:19:41 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started. 2024/04/05 09:19:41 wazuh-modulesd:osquery: INFO: Module disabled. Exiting... 2024/04/05 09:19:41 wazuh-modulesd:control: INFO: Starting control thread. 2024/04/05 09:19:41 wazuh-modulesd:database: INFO: Module started. 2024/04/05 09:19:41 wazuh-modulesd:download: INFO: Module started. 2024/04/05 09:19:41 wazuh-modulesd:content_manager: INFO: Starting content_manager module. 2024/04/05 09:19:41 wazuh-modulesd:router: INFO: Starting router module. 2024/04/05 09:19:41 sca: INFO: Module started. 2024/04/05 09:19:41 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml' 2024/04/05 09:19:41 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module. 2024/04/05 09:19:41 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting... 2024/04/05 09:19:41 sca: INFO: Starting Security Configuration Assessment scan. 2024/04/05 09:19:41 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started. 2024/04/05 09:19:41 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml' 2024/04/05 09:19:41 wazuh-modulesd:syscollector: INFO: Module started. 2024/04/05 09:19:41 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2024/04/05 09:19:41 wazuh-modulesd:vulnerability-scanner: INFO: Starting database file decompression. 2024/04/05 09:19:41 indexer-connector: WARNING: Error initializing IndexerConnector for index 'wazuh-states-vulnerabilities': Failed to initialize template for index 'wazuh-states-vulnerabilities'. Error: Failed to initialize template for index 'wazuh-states-vulnerabilities'. Error: Problem with the local SSL certificate. Retrying in 2 seconds. Maximum wait time: 60 seconds. 2024/04/05 09:19:42 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2024/04/05 09:19:43 indexer-connector: WARNING: Error initializing IndexerConnector for index 'wazuh-states-vulnerabilities': Failed to initialize template for index 'wazuh-states-vulnerabilities'. Error: Failed to initialize template for index 'wazuh-states-vulnerabilities'. Error: Problem with the local SSL certificate. Retrying in 4 seconds. Maximum wait time: 60 seconds. 2024/04/05 09:19:47 indexer-connector: WARNING: Error initializing IndexerConnector for index 'wazuh-states-vulnerabilities': Failed to initialize template for index 'wazuh-states-vulnerabilities'. Error: Failed to initialize template for index 'wazuh-states-vulnerabilities'. Error: Problem with the local SSL certificate. Retrying in 8 seconds. Maximum wait time: 60 seconds. 2024/04/05 09:19:55 indexer-connector: WARNING: Error initializing IndexerConnector for index 'wazuh-states-vulnerabilities': Failed to initialize template for index 'wazuh-states-vulnerabilities'. Error: Failed to initialize template for index 'wazuh-states-vulnerabilities'. Error: Problem with the local SSL certificate. Retrying in 16 seconds. Maximum wait time: 60 seconds. 2024/04/05 09:19:57 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml' 2024/04/05 09:19:57 sca: INFO: Security Configuration Assessment scan finished. Duration: 16 seconds. 2024/04/05 09:19:57 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended. 2024/04/05 09:19:57 wazuh-syscheckd: INFO: FIM sync module started. 2024/04/05 09:20:12 indexer-connector: WARNING: Error initializing IndexerConnector for index 'wazuh-states-vulnerabilities': Failed to initialize template for index 'wazuh-states-vulnerabilities'. Error: Failed to initialize template for index 'wazuh-states-vulnerabilities'. Error: Problem with the local SSL certificate. Retrying in 32 seconds. Maximum wait time: 60 seconds. 2024/04/05 09:20:44 indexer-connector: INFO: IndexerConnector initialized. 2024/04/05 09:20:50 rootcheck: INFO: Ending rootcheck scan. 2024/04/05 09:21:43 wazuh-modulesd:vulnerability-scanner: INFO: Database decompression finished. 2024/04/05 09:21:45 wazuh-modulesd:content-updater: INFO: Starting scheduled action for 'vulnerability_feed_manager' 2024/04/05 09:21:45 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:21:46 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started 2024/04/05 09:22:53 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector. 2024/04/05 09:22:53 wazuh-modulesd:syscollector: INFO: Module finished. 2024/04/05 09:22:53 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module. 2024/04/05 09:23:01 wazuh-modulesd:router: INFO: Stopping router module. 2024/04/05 09:23:01 wazuh-modulesd:content_manager: INFO: Stopping content_manager module. 2024/04/05 09:23:02 wazuh-modulesd:content-updater: WARNING: The offsets download has been interrupted 2024/04/05 09:23:02 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:23:02 wazuh-modulesd:content-updater: INFO: Scheduler stopped for 'vulnerability_feed_manager' 2024/04/05 09:23:02 wazuh-monitord: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/04/05 09:23:02 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/04/05 09:23:02 wazuh-remoted: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/04/05 09:23:02 wazuh-syscheckd: INFO: (1756): Shutdown received. Releasing resources. 2024/04/05 09:23:02 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/04/05 09:23:03 wazuh-analysisd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/04/05 09:23:03 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses. 2024/04/05 09:23:03 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/04/05 09:23:03 wazuh-db: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/04/05 09:23:04 wazuh-authd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/04/05 09:23:05 wazuh-authd: INFO: Exiting... 2024/04/05 09:23:07 wazuh-modulesd:router: INFO: Loaded router module. 2024/04/05 09:23:07 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. 2024/04/05 09:23:11 wazuh-csyslogd: INFO: Remote syslog server not configured. Clean exit. 2024/04/05 09:23:11 wazuh-dbd: INFO: Database not configured. Clean exit. 2024/04/05 09:23:11 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. 2024/04/05 09:23:11 wazuh-agentlessd: INFO: Not configured. Exiting. 2024/04/05 09:23:11 wazuh-authd: INFO: Started (pid: 54109). 2024/04/05 09:23:11 wazuh-authd: INFO: Accepting connections on port 1515. No password required. 2024/04/05 09:23:11 wazuh-authd: INFO: Setting network timeout to 1.000000 sec. 2024/04/05 09:23:12 wazuh-db: INFO: Started (pid: 54125). 2024/04/05 09:23:13 wazuh-execd: INFO: Started (pid: 54149). 2024/04/05 09:23:15 wazuh-analysisd: INFO: Total rules enabled: '6786' 2024/04/05 09:23:15 wazuh-analysisd: INFO: Started (pid: 54164). 2024/04/05 09:23:15 wazuh-analysisd: INFO: EPS limit disabled 2024/04/05 09:23:15 wazuh-analysisd: INFO: (7200): Logtest started 2024/04/05 09:23:15 wazuh-syscheckd: INFO: Started (pid: 54207). 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab' 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny' 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics' 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed' 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed' 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime' 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs' 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx' 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx' 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs' 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates' 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile' 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$' 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key' 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6000): Starting daemon... 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds 2024/04/05 09:23:15 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started. 2024/04/05 09:23:15 rootcheck: INFO: Starting rootcheck scan. 2024/04/05 09:23:16 wazuh-remoted: INFO: Started (pid: 54224). Listening on port 1514/TCP (secure). 2024/04/05 09:23:16 wazuh-remoted: INFO: (1410): Reading authentication keys file. 2024/04/05 09:23:18 wazuh-logcollector: INFO: Monitoring output of command(360): df -P 2024/04/05 09:23:18 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d 2024/04/05 09:23:18 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20 2024/04/05 09:23:18 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'. 2024/04/05 09:23:18 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/auth.log'. 2024/04/05 09:23:18 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/syslog'. 2024/04/05 09:23:18 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'. 2024/04/05 09:23:18 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/kern.log'. 2024/04/05 09:23:18 wazuh-logcollector: INFO: Started (pid: 54258). 2024/04/05 09:23:19 wazuh-monitord: INFO: Started (pid: 54277). 2024/04/05 09:23:20 wazuh-modulesd:router: INFO: Loaded router module. 2024/04/05 09:23:20 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. 2024/04/05 09:23:20 wazuh-modulesd: INFO: Started (pid: 54299). 2024/04/05 09:23:20 wazuh-modulesd:database: INFO: Module started. 2024/04/05 09:23:20 wazuh-modulesd:content_manager: INFO: Starting content_manager module. 2024/04/05 09:23:20 wazuh-modulesd:router: INFO: Starting router module. 2024/04/05 09:23:20 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module. 2024/04/05 09:23:20 sca: INFO: Module started. 2024/04/05 09:23:20 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml' 2024/04/05 09:23:20 wazuh-modulesd:osquery: INFO: Module disabled. Exiting... 2024/04/05 09:23:20 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting... 2024/04/05 09:23:20 wazuh-modulesd:download: INFO: Module started. 2024/04/05 09:23:20 wazuh-modulesd:control: INFO: Starting control thread. 2024/04/05 09:23:20 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started. 2024/04/05 09:23:20 sca: INFO: Starting Security Configuration Assessment scan. 2024/04/05 09:23:20 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started. 2024/04/05 09:23:20 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml' 2024/04/05 09:23:20 wazuh-modulesd:syscollector: INFO: Module started. 2024/04/05 09:23:20 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2024/04/05 09:23:21 indexer-connector: WARNING: Error initializing IndexerConnector for index 'wazuh-states-vulnerabilities': Failed to initialize template for index 'wazuh-states-vulnerabilities'. Error: Failed to initialize template for index 'wazuh-states-vulnerabilities'. HTTP error: HTTP response code said error (Status code: 401).. Retrying in 2 seconds. Maximum wait time: 60 seconds. 2024/04/05 09:23:21 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2024/04/05 09:23:21 wazuh-modulesd:content-updater: INFO: Starting scheduled action for 'vulnerability_feed_manager' 2024/04/05 09:23:21 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:23:22 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started 2024/04/05 09:23:23 indexer-connector: WARNING: Error initializing IndexerConnector for index 'wazuh-states-vulnerabilities': Failed to initialize template for index 'wazuh-states-vulnerabilities'. Error: Failed to initialize template for index 'wazuh-states-vulnerabilities'. HTTP error: HTTP response code said error (Status code: 401).. Retrying in 4 seconds. Maximum wait time: 60 seconds. 2024/04/05 09:23:24 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended. 2024/04/05 09:23:24 wazuh-syscheckd: INFO: FIM sync module started. 2024/04/05 09:23:28 indexer-connector: WARNING: Error initializing IndexerConnector for index 'wazuh-states-vulnerabilities': Failed to initialize template for index 'wazuh-states-vulnerabilities'. Error: Failed to initialize template for index 'wazuh-states-vulnerabilities'. HTTP error: HTTP response code said error (Status code: 401).. Retrying in 8 seconds. Maximum wait time: 60 seconds. 2024/04/05 09:23:32 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml' 2024/04/05 09:23:32 sca: INFO: Security Configuration Assessment scan finished. Duration: 12 seconds. 2024/04/05 09:23:37 indexer-connector: INFO: IndexerConnector initialized. 2024/04/05 09:23:53 rootcheck: INFO: Ending rootcheck scan. 2024/04/05 09:25:39 wazuh-modulesd:content-updater: INFO: Data published 2024/04/05 09:25:39 wazuh-modulesd:vulnerability-scanner: INFO: Processing message 2024/04/05 09:25:39 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:25:39 wazuh-modulesd:vulnerability-scanner: INFO: Processing file: queue/vd_updater/tmp/contents/245855-api_file.json 2024/04/05 09:26:06 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:26:06 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:26:06 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:28:17 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:28:17 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:28:17 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:28:49 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:28:49 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:28:49 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:28:57 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:28:57 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:28:57 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:29:06 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:29:06 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:29:06 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:29:07 wazuh-modulesd:vulnerability-scanner: INFO: Processing file: queue/vd_updater/tmp/contents/246855-api_file.json 2024/04/05 09:29:10 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:29:10 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:29:10 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:29:15 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:29:15 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:29:15 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:29:24 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:29:24 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:29:24 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:30:42 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:30:42 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:30:42 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:31:18 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:31:18 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:31:18 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:31:20 wazuh-modulesd:vulnerability-scanner: INFO: Processing file: queue/vd_updater/tmp/contents/247855-api_file.json 2024/04/05 09:31:27 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:31:27 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:31:27 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:31:32 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:31:32 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:31:32 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:31:43 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:31:43 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:31:43 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:31:47 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:31:47 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:31:47 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:31:55 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:31:55 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:31:55 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:31:56 wazuh-modulesd:vulnerability-scanner: INFO: Processing file: queue/vd_updater/tmp/contents/248855-api_file.json 2024/04/05 09:32:05 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:32:05 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:32:05 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:32:13 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:32:13 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:32:13 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:32:23 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:32:23 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:32:23 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:32:32 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:32:32 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:32:32 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:32:38 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:32:38 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:32:38 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:32:39 wazuh-modulesd:vulnerability-scanner: INFO: Processing file: queue/vd_updater/tmp/contents/249855-api_file.json 2024/04/05 09:32:52 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:32:52 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:32:52 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:33:03 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:33:03 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:33:03 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:33:13 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:33:13 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:33:13 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:33:19 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:33:19 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:33:19 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:33:25 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:33:25 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:33:25 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:33:26 wazuh-modulesd:vulnerability-scanner: INFO: Processing file: queue/vd_updater/tmp/contents/250855-api_file.json 2024/04/05 09:33:32 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:33:32 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:33:32 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:33:40 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:33:40 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:33:40 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:33:50 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:33:50 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:33:50 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:33:57 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:33:57 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:33:57 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:34:03 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:34:03 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:34:03 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:34:04 wazuh-modulesd:vulnerability-scanner: INFO: Processing file: queue/vd_updater/tmp/contents/251855-api_file.json 2024/04/05 09:34:12 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:34:12 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:34:12 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:34:20 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:34:20 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:34:20 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:34:30 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:34:30 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:34:30 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:34:37 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:34:37 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:34:37 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:34:42 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:34:42 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:34:42 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:34:43 wazuh-modulesd:vulnerability-scanner: INFO: Processing file: queue/vd_updater/tmp/contents/252855-api_file.json 2024/04/05 09:34:51 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:34:51 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:34:51 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:35:06 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:35:06 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:35:06 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:35:21 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:35:21 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:35:21 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:35:25 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:35:25 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:35:25 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:35:30 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:35:30 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:35:30 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:35:31 wazuh-modulesd:vulnerability-scanner: INFO: Processing file: queue/vd_updater/tmp/contents/253855-api_file.json 2024/04/05 09:35:39 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:35:39 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:35:39 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:35:42 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:35:42 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:35:42 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:35:48 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:35:48 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:35:48 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:35:56 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:35:56 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:35:56 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:36:02 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:36:02 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:36:02 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:36:03 wazuh-modulesd:vulnerability-scanner: INFO: Processing file: queue/vd_updater/tmp/contents/254855-api_file.json 2024/04/05 09:36:07 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:36:07 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:36:07 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:36:14 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:36:14 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:36:14 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:36:23 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:36:23 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:36:23 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:36:29 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:36:29 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:36:29 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:36:39 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:36:39 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:36:39 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:36:40 wazuh-modulesd:vulnerability-scanner: INFO: Processing file: queue/vd_updater/tmp/contents/255855-api_file.json 2024/04/05 09:36:50 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:36:50 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:36:50 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:36:58 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:36:58 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:36:58 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:37:07 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:37:07 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:37:07 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:37:14 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:37:14 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:37:14 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:37:19 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:37:19 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:37:19 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:37:20 wazuh-modulesd:vulnerability-scanner: INFO: Processing file: queue/vd_updater/tmp/contents/256855-api_file.json 2024/04/05 09:37:23 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:37:23 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:37:23 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:37:49 wazuh-modulesd:content-updater: INFO: Starting on-demand action for 'vulnerability_feed_manager' 2024/04/05 09:37:49 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' started 2024/04/05 09:37:49 wazuh-modulesd:content-updater: INFO: Action for 'vulnerability_feed_manager' finished 2024/04/05 09:45:36 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector. 2024/04/05 09:45:36 wazuh-modulesd:syscollector: INFO: Module finished. 2024/04/05 09:45:36 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module. 2024/04/05 09:45:50 wazuh-modulesd:vulnerability-scanner: INFO: Message processed 2024/04/05 09:45:58 wazuh-modulesd:router: INFO: Stopping router module. 2024/04/05 09:45:58 wazuh-modulesd:content_manager: INFO: Stopping content_manager module. 2024/04/05 09:45:58 wazuh-modulesd:content-updater: INFO: Scheduler stopped for 'vulnerability_feed_manager' 2024/04/05 09:45:59 wazuh-monitord: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/04/05 09:45:59 wazuh-logcollector: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/04/05 09:45:59 wazuh-remoted: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/04/05 09:45:59 wazuh-syscheckd: INFO: (1756): Shutdown received. Releasing resources. 2024/04/05 09:45:59 wazuh-syscheckd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/04/05 09:45:59 wazuh-analysisd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/04/05 09:45:59 wazuh-execd: INFO: (1314): Shutdown received. Deleting responses. 2024/04/05 09:45:59 wazuh-execd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/04/05 09:46:00 wazuh-db: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/04/05 09:46:01 wazuh-authd: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning... 2024/04/05 09:46:02 wazuh-authd: INFO: Exiting... 2024/04/05 09:46:04 wazuh-csyslogd: ERROR: (1226): Error reading XML file 'etc/ossec.conf': (line 0). 2024/04/05 09:49:17 wazuh-csyslogd: ERROR: (1226): Error reading XML file 'etc/ossec.conf': (line 0). 2024/04/05 09:50:49 wazuh-modulesd:router: INFO: Loaded router module. 2024/04/05 09:50:49 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. 2024/04/05 09:50:55 wazuh-csyslogd: INFO: Remote syslog server not configured. Clean exit. 2024/04/05 09:50:55 wazuh-dbd: INFO: Database not configured. Clean exit. 2024/04/05 09:50:55 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. 2024/04/05 09:50:55 wazuh-agentlessd: INFO: Not configured. Exiting. 2024/04/05 09:50:55 wazuh-authd: INFO: Started (pid: 58567). 2024/04/05 09:50:55 wazuh-authd: INFO: Accepting connections on port 1515. No password required. 2024/04/05 09:50:55 wazuh-authd: INFO: Setting network timeout to 1.000000 sec. 2024/04/05 09:50:56 wazuh-db: INFO: Started (pid: 58583). 2024/04/05 09:50:57 wazuh-execd: INFO: Started (pid: 58608). 2024/04/05 09:50:59 wazuh-analysisd: INFO: Total rules enabled: '6786' 2024/04/05 09:50:59 wazuh-analysisd: INFO: Started (pid: 58622). 2024/04/05 09:50:59 wazuh-syscheckd: INFO: Started (pid: 58635). 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6003): Monitoring path: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6003): Monitoring path: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6003): Monitoring path: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6003): Monitoring path: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6003): Monitoring path: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'. 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mtab' 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/hosts.deny' 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/mail/statistics' 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random-seed' 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/random.seed' 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/adjtime' 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/httpd/logs' 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/utmpx' 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/wtmpx' 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/cups/certs' 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/dumpdates' 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6206): Ignore 'file' entry '/etc/svc/volatile' 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6207): Ignore 'file' sregex '.log$|.swp$' 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6004): No diff for file: '/etc/ssl/private.key' 2024/04/05 09:50:59 rootcheck: INFO: Starting rootcheck scan. 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6000): Starting daemon... 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds 2024/04/05 09:50:59 wazuh-syscheckd: INFO: (6008): File integrity monitoring scan started. 2024/04/05 09:50:59 wazuh-analysisd: INFO: (7200): Logtest started 2024/04/05 09:50:59 wazuh-analysisd: INFO: EPS limit disabled 2024/04/05 09:51:00 wazuh-remoted: INFO: Started (pid: 58682). Listening on port 1514/TCP (secure). 2024/04/05 09:51:00 wazuh-remoted: INFO: (1410): Reading authentication keys file. 2024/04/05 09:51:01 wazuh-logcollector: INFO: Monitoring output of command(360): df -P 2024/04/05 09:51:01 wazuh-logcollector: INFO: Monitoring full output of command(360): netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d 2024/04/05 09:51:01 wazuh-logcollector: INFO: Monitoring full output of command(360): last -n 20 2024/04/05 09:51:01 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/ossec/logs/active-responses.log'. 2024/04/05 09:51:01 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/auth.log'. 2024/04/05 09:51:01 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/syslog'. 2024/04/05 09:51:01 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/dpkg.log'. 2024/04/05 09:51:01 wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/kern.log'. 2024/04/05 09:51:01 wazuh-logcollector: INFO: Started (pid: 58716). 2024/04/05 09:51:02 wazuh-monitord: INFO: Started (pid: 58735). 2024/04/05 09:51:03 wazuh-modulesd:router: INFO: Loaded router module. 2024/04/05 09:51:03 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. 2024/04/05 09:51:03 wazuh-modulesd: INFO: Started (pid: 58757). 2024/04/05 09:51:03 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started. 2024/04/05 09:51:03 wazuh-modulesd:router: INFO: Starting router module. 2024/04/05 09:51:03 wazuh-modulesd:osquery: INFO: Module disabled. Exiting... 2024/04/05 09:51:03 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting... 2024/04/05 09:51:03 sca: INFO: Module started. 2024/04/05 09:51:03 sca: INFO: Loaded policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml' 2024/04/05 09:51:03 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module. 2024/04/05 09:51:03 wazuh-modulesd:content_manager: INFO: Starting content_manager module. 2024/04/05 09:51:03 wazuh-modulesd:database: INFO: Module started. 2024/04/05 09:51:03 wazuh-modulesd:download: INFO: Module started. 2024/04/05 09:51:03 wazuh-modulesd:control: INFO: Starting control thread. 2024/04/05 09:51:03 sca: INFO: Starting Security Configuration Assessment scan. 2024/04/05 09:51:03 wazuh-modulesd:task-manager: INFO: (8200): Module Task Manager started. 2024/04/05 09:51:03 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml' 2024/04/05 09:51:03 wazuh-modulesd:syscollector: INFO: Module started. 2024/04/05 09:51:03 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2024/04/05 09:51:03 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module is disabled 2024/04/05 09:51:04 wazuh-modulesd:syscollector: INFO: Evaluation finished. 2024/04/05 09:51:08 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended. 2024/04/05 09:51:08 wazuh-syscheckd: INFO: FIM sync module started. 2024/04/05 09:51:15 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_ubuntu22-04.yml' 2024/04/05 09:51:15 sca: INFO: Security Configuration Assessment scan finished. Duration: 12 seconds. 2024/04/05 09:51:33 rootcheck: INFO: Ending rootcheck scan. ```
Wazuh indexer log ```console root@ubuntu22:/home/vagrant# cat /var/log/wazuh-indexer/wazuh-cluster.log [2024-04-05T09:16:50,527][INFO ][o.o.n.Node ] [node-1] version[2.10.0], pid[5912], build[rpm/eee49cb340edc6c4d489bcd9324dda571fc8dc03/2023-09-20T23:54:29.889267151Z], OS[Linux/5.15.0-92-generic/amd64], JVM[Eclipse Adoptium/OpenJDK 64-Bit Server VM/17.0.8/17.0.8+7] [2024-04-05T09:16:50,530][INFO ][o.o.n.Node ] [node-1] JVM home [/usr/share/wazuh-indexer/jdk], using bundled JDK/JRE [true] [2024-04-05T09:16:50,530][INFO ][o.o.n.Node ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1954m, -Xmx1954m, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-922446080234556353, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opendistro-performance-analyzer/pa_config/es_security.policy, -XX:MaxDirectMemorySize=1024458752, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true] [2024-04-05T09:16:51,985][INFO ][o.o.s.s.t.SSLConfig ] [node-1] SSL dual mode is disabled [2024-04-05T09:16:51,986][INFO ][o.o.s.OpenSearchSecurityPlugin] [node-1] OpenSearch Config path is /etc/wazuh-indexer [2024-04-05T09:16:52,337][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] JVM supports TLSv1.3 [2024-04-05T09:16:52,339][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] Config directory is /etc/wazuh-indexer/, from there the key- and truststore files are resolved relatively [2024-04-05T09:16:53,243][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] TLS Transport Client Provider : JDK [2024-04-05T09:16:53,244][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] TLS Transport Server Provider : JDK [2024-04-05T09:16:53,244][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] TLS HTTP Provider : JDK [2024-04-05T09:16:53,245][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] Enabled TLS protocols for transport layer : [TLSv1.3, TLSv1.2] [2024-04-05T09:16:53,245][INFO ][o.o.s.s.DefaultSecurityKeyStore] [node-1] Enabled TLS protocols for HTTP layer : [TLSv1.2] [2024-04-05T09:16:53,285][INFO ][o.o.s.OpenSearchSecurityPlugin] [node-1] Clustername: wazuh-cluster [2024-04-05T09:16:54,161][INFO ][o.o.p.c.c.PluginSettings ] [node-1] Trying to create directory /dev/shm/performanceanalyzer/. [2024-04-05T09:16:54,162][INFO ][o.o.p.c.c.PluginSettings ] [node-1] Config: metricsLocation: /dev/shm/performanceanalyzer/, metricsDeletionInterval: 1, httpsEnabled: false, cleanup-metrics-db-files: true, batch-metrics-retention-period-minutes: 7, rpc-port: 9650, webservice-port 9600 [2024-04-05T09:16:54,806][INFO ][o.o.i.r.ReindexPlugin ] [node-1] ReindexPlugin reloadSPI called [2024-04-05T09:16:54,810][INFO ][o.o.i.r.ReindexPlugin ] [node-1] Unable to find any implementation for RemoteReindexExtension [2024-04-05T09:16:54,885][INFO ][o.o.j.JobSchedulerPlugin ] [node-1] Loaded scheduler extension: reports-scheduler, index: .opendistro-reports-definitions [2024-04-05T09:16:54,890][INFO ][o.o.j.JobSchedulerPlugin ] [node-1] Loaded scheduler extension: opendistro_anomaly_detector, index: .opendistro-anomaly-detector-jobs [2024-04-05T09:16:54,891][INFO ][o.o.j.JobSchedulerPlugin ] [node-1] Loaded scheduler extension: opendistro-index-management, index: .opendistro-ism-config [2024-04-05T09:16:54,894][INFO ][o.o.j.JobSchedulerPlugin ] [node-1] Loaded scheduler extension: scheduler_geospatial_ip2geo_datasource, index: .scheduler-geospatial-ip2geo-datasource [2024-04-05T09:16:54,901][INFO ][o.o.p.PluginsService ] [node-1] loaded module [aggs-matrix-stats] [2024-04-05T09:16:54,902][INFO ][o.o.p.PluginsService ] [node-1] loaded module [analysis-common] [2024-04-05T09:16:54,902][INFO ][o.o.p.PluginsService ] [node-1] loaded module [geo] [2024-04-05T09:16:54,902][INFO ][o.o.p.PluginsService ] [node-1] loaded module [ingest-common] [2024-04-05T09:16:54,903][INFO ][o.o.p.PluginsService ] [node-1] loaded module [ingest-geoip] [2024-04-05T09:16:54,903][INFO ][o.o.p.PluginsService ] [node-1] loaded module [ingest-user-agent] [2024-04-05T09:16:54,903][INFO ][o.o.p.PluginsService ] [node-1] loaded module [lang-expression] [2024-04-05T09:16:54,903][INFO ][o.o.p.PluginsService ] [node-1] loaded module [lang-mustache] [2024-04-05T09:16:54,904][INFO ][o.o.p.PluginsService ] [node-1] loaded module [lang-painless] [2024-04-05T09:16:54,905][INFO ][o.o.p.PluginsService ] [node-1] loaded module [mapper-extras] [2024-04-05T09:16:54,906][INFO ][o.o.p.PluginsService ] [node-1] loaded module [opensearch-dashboards] [2024-04-05T09:16:54,906][INFO ][o.o.p.PluginsService ] [node-1] loaded module [parent-join] [2024-04-05T09:16:54,906][INFO ][o.o.p.PluginsService ] [node-1] loaded module [percolator] [2024-04-05T09:16:54,907][INFO ][o.o.p.PluginsService ] [node-1] loaded module [rank-eval] [2024-04-05T09:16:54,907][INFO ][o.o.p.PluginsService ] [node-1] loaded module [reindex] [2024-04-05T09:16:54,907][INFO ][o.o.p.PluginsService ] [node-1] loaded module [repository-url] [2024-04-05T09:16:54,908][INFO ][o.o.p.PluginsService ] [node-1] loaded module [search-pipeline-common] [2024-04-05T09:16:54,908][INFO ][o.o.p.PluginsService ] [node-1] loaded module [systemd] [2024-04-05T09:16:54,908][INFO ][o.o.p.PluginsService ] [node-1] loaded module [transport-netty4] [2024-04-05T09:16:54,909][INFO ][o.o.p.PluginsService ] [node-1] loaded plugin [opensearch-alerting] [2024-04-05T09:16:54,910][INFO ][o.o.p.PluginsService ] [node-1] loaded plugin [opensearch-anomaly-detection] [2024-04-05T09:16:54,910][INFO ][o.o.p.PluginsService ] [node-1] loaded plugin [opensearch-asynchronous-search] [2024-04-05T09:16:54,911][INFO ][o.o.p.PluginsService ] [node-1] loaded plugin [opensearch-cross-cluster-replication] [2024-04-05T09:16:54,912][INFO ][o.o.p.PluginsService ] [node-1] loaded plugin [opensearch-custom-codecs] [2024-04-05T09:16:54,912][INFO ][o.o.p.PluginsService ] [node-1] loaded plugin [opensearch-geospatial] [2024-04-05T09:16:54,913][INFO ][o.o.p.PluginsService ] [node-1] loaded plugin [opensearch-index-management] [2024-04-05T09:16:54,914][INFO ][o.o.p.PluginsService ] [node-1] loaded plugin [opensearch-job-scheduler] [2024-04-05T09:16:54,914][INFO ][o.o.p.PluginsService ] [node-1] loaded plugin [opensearch-knn] [2024-04-05T09:16:54,914][INFO ][o.o.p.PluginsService ] [node-1] loaded plugin [opensearch-ml] [2024-04-05T09:16:54,915][INFO ][o.o.p.PluginsService ] [node-1] loaded plugin [opensearch-neural-search] [2024-04-05T09:16:54,915][INFO ][o.o.p.PluginsService ] [node-1] loaded plugin [opensearch-notifications] [2024-04-05T09:16:54,915][INFO ][o.o.p.PluginsService ] [node-1] loaded plugin [opensearch-notifications-core] [2024-04-05T09:16:54,915][INFO ][o.o.p.PluginsService ] [node-1] loaded plugin [opensearch-observability] [2024-04-05T09:16:54,916][INFO ][o.o.p.PluginsService ] [node-1] loaded plugin [opensearch-performance-analyzer] [2024-04-05T09:16:54,917][INFO ][o.o.p.PluginsService ] [node-1] loaded plugin [opensearch-reports-scheduler] [2024-04-05T09:16:54,917][INFO ][o.o.p.PluginsService ] [node-1] loaded plugin [opensearch-security] [2024-04-05T09:16:54,919][INFO ][o.o.p.PluginsService ] [node-1] loaded plugin [opensearch-security-analytics] [2024-04-05T09:16:54,919][INFO ][o.o.p.PluginsService ] [node-1] loaded plugin [opensearch-sql] [2024-04-05T09:16:54,981][INFO ][o.o.s.OpenSearchSecurityPlugin] [node-1] Disabled https compression by default to mitigate BREACH attacks. You can enable it by setting 'http.compression: true' in opensearch.yml [2024-04-05T09:16:54,989][INFO ][o.o.e.ExtensionsManager ] [node-1] ExtensionsManager initialized [2024-04-05T09:16:55,027][INFO ][o.o.e.NodeEnvironment ] [node-1] using [1] data paths, mounts [[/ (/dev/sda1)]], net usable_space [35.1gb], net total_space [38.7gb], types [ext4] [2024-04-05T09:16:55,028][INFO ][o.o.e.NodeEnvironment ] [node-1] heap size [1.9gb], compressed ordinary object pointers [true] [2024-04-05T09:16:55,068][INFO ][o.o.n.Node ] [node-1] node name [node-1], node ID [Nhl4cMrLQEK9RwNdp6T1XQ], cluster name [wazuh-cluster], roles [ingest, remote_cluster_client, data, cluster_manager] [2024-04-05T09:16:58,941][INFO ][o.o.n.p.NeuralSearch ] [node-1] Registering hybrid query phase searcher with feature flag [plugins.neural_search.hybrid_search_disabled] [2024-04-05T09:16:59,276][WARN ][o.o.s.c.Salt ] [node-1] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes [2024-04-05T09:16:59,312][ERROR][o.o.s.a.s.SinkProvider ] [node-1] Default endpoint could not be created, auditlog will not work properly. [2024-04-05T09:16:59,314][WARN ][o.o.s.a.r.AuditMessageRouter] [node-1] No default storage available, audit log may not work properly. Please check configuration. [2024-04-05T09:16:59,314][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Message routing enabled: false [2024-04-05T09:16:59,356][INFO ][o.o.s.f.SecurityFilter ] [node-1] indices are made immutable. [2024-04-05T09:16:59,763][INFO ][o.o.a.b.ADCircuitBreakerService] [node-1] Registered memory breaker. [2024-04-05T09:17:00,289][INFO ][o.o.m.b.MLCircuitBreakerService] [node-1] Registered ML memory breaker. [2024-04-05T09:17:00,290][INFO ][o.o.m.b.MLCircuitBreakerService] [node-1] Registered ML disk breaker. [2024-04-05T09:17:00,290][INFO ][o.o.m.b.MLCircuitBreakerService] [node-1] Registered ML native memory breaker. [2024-04-05T09:17:00,438][INFO ][o.r.Reflections ] [node-1] Reflections took 65 ms to scan 1 urls, producing 17 keys and 43 values [2024-04-05T09:17:00,530][WARN ][o.o.s.p.SQLPlugin ] [node-1] Master key is a required config for using create and update datasource APIs. Please set plugins.query.datasources.encryption.masterkey config in opensearch.yml in all the cluster nodes. More details can be found here: https://github.com/opensearch-project/sql/blob/main/docs/user/ppl/admin/datasources.rst#master-key-config-for-encrypting-credential-information [2024-04-05T09:17:01,336][INFO ][o.o.t.NettyAllocator ] [node-1] creating NettyAllocator with the following configs: [name=opensearch_configured, chunk_size=256kb, suggested_max_allocation_size=256kb, factors={opensearch.unsafe.use_netty_default_chunk_and_page_size=false, g1gc_enabled=true, g1gc_region_size=1mb}] [2024-04-05T09:17:01,488][INFO ][o.o.d.DiscoveryModule ] [node-1] using discovery type [zen] and seed hosts providers [settings] [2024-04-05T09:17:02,147][WARN ][o.o.g.DanglingIndicesState] [node-1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually [2024-04-05T09:17:02,787][INFO ][o.o.p.h.c.PerformanceAnalyzerConfigAction] [node-1] PerformanceAnalyzer Enabled: true [2024-04-05T09:17:02,853][INFO ][o.o.n.Node ] [node-1] initialized [2024-04-05T09:17:02,854][INFO ][o.o.n.Node ] [node-1] starting ... [2024-04-05T09:17:02,931][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [windows_logtype.json] log type [2024-04-05T09:17:02,933][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [vpcflow_logtype.json] log type [2024-04-05T09:17:02,934][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [test_windows_logtype.json] log type [2024-04-05T09:17:02,936][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [s3_logtype.json] log type [2024-04-05T09:17:02,937][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [others_web_logtype.json] log type [2024-04-05T09:17:02,939][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [others_proxy_logtype.json] log type [2024-04-05T09:17:02,941][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [others_macos_logtype.json] log type [2024-04-05T09:17:02,942][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [others_compliance_logtype.json] log type [2024-04-05T09:17:02,943][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [others_cloud_logtype.json] log type [2024-04-05T09:17:02,944][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [others_apt_logtype.json] log type [2024-04-05T09:17:02,946][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [others_application_logtype.json] log type [2024-04-05T09:17:02,947][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [okta_logtype.json] log type [2024-04-05T09:17:02,948][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [network_logtype.json] log type [2024-04-05T09:17:02,949][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [netflow_logtype.json] log type [2024-04-05T09:17:02,950][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [m365_logtype.json] log type [2024-04-05T09:17:02,951][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [linux_logtype.json] log type [2024-04-05T09:17:02,952][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [gworkspace_logtype.json] log type [2024-04-05T09:17:02,953][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [github_logtype.json] log type [2024-04-05T09:17:02,955][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [dns_logtype.json] log type [2024-04-05T09:17:02,956][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [cloudtrail_logtype.json] log type [2024-04-05T09:17:02,957][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [azure_logtype.json] log type [2024-04-05T09:17:02,958][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [apache_access_logtype.json] log type [2024-04-05T09:17:02,959][INFO ][o.o.s.l.BuiltinLogTypeLoader] [node-1] Loaded [ad_ldap_logtype.json] log type [2024-04-05T09:17:03,127][INFO ][o.o.t.TransportService ] [node-1] publish_address {127.0.0.1:9300}, bound_addresses {127.0.0.1:9300} [2024-04-05T09:17:03,131][INFO ][o.o.t.TransportService ] [node-1] Remote clusters initialized successfully. [2024-04-05T09:17:03,359][INFO ][o.o.c.c.Coordinator ] [node-1] setting initial configuration to VotingConfiguration{Nhl4cMrLQEK9RwNdp6T1XQ} [2024-04-05T09:17:03,573][INFO ][o.o.c.s.MasterService ] [node-1] elected-as-cluster-manager ([1] nodes joined)[{node-1}{Nhl4cMrLQEK9RwNdp6T1XQ}{q0qiHXzzRFywyzFlajo1Gg}{127.0.0.1}{127.0.0.1:9300}{dimr}{shard_indexing_pressure_enabled=true} elect leader, _BECOME_CLUSTER_MANAGER_TASK_, _FINISH_ELECTION_], term: 1, version: 1, delta: cluster-manager node changed {previous [], current [{node-1}{Nhl4cMrLQEK9RwNdp6T1XQ}{q0qiHXzzRFywyzFlajo1Gg}{127.0.0.1}{127.0.0.1:9300}{dimr}{shard_indexing_pressure_enabled=true}]} [2024-04-05T09:17:03,611][INFO ][o.o.c.c.CoordinationState] [node-1] cluster UUID set to [vKeFX6myRpGY-gb00ctDPA] [2024-04-05T09:17:03,630][INFO ][o.o.c.s.ClusterApplierService] [node-1] cluster-manager node changed {previous [], current [{node-1}{Nhl4cMrLQEK9RwNdp6T1XQ}{q0qiHXzzRFywyzFlajo1Gg}{127.0.0.1}{127.0.0.1:9300}{dimr}{shard_indexing_pressure_enabled=true}]}, term: 1, version: 1, reason: Publication{term=1, version=1} [2024-04-05T09:17:03,639][INFO ][o.o.a.c.ADClusterEventListener] [node-1] Cluster is not recovered yet. [2024-04-05T09:17:03,646][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:03,670][INFO ][o.o.i.i.ManagedIndexCoordinator] [node-1] Cache cluster manager node onClusterManager time: 1712308623670 [2024-04-05T09:17:03,687][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [node-1] Config override setting update called with empty string. Ignoring. [2024-04-05T09:17:03,711][INFO ][o.o.d.PeerFinder ] [node-1] setting findPeersInterval to [1s] as node commission status = [true] for local node [{node-1}{Nhl4cMrLQEK9RwNdp6T1XQ}{q0qiHXzzRFywyzFlajo1Gg}{127.0.0.1}{127.0.0.1:9300}{dimr}{shard_indexing_pressure_enabled=true}] [2024-04-05T09:17:03,724][INFO ][o.o.h.AbstractHttpServerTransport] [node-1] publish_address {127.0.0.1:9200}, bound_addresses {127.0.0.1:9200} [2024-04-05T09:17:03,725][INFO ][o.o.n.Node ] [node-1] started [2024-04-05T09:17:03,737][INFO ][o.o.a.c.HashRing ] [node-1] Node added: [Nhl4cMrLQEK9RwNdp6T1XQ] [2024-04-05T09:17:03,741][INFO ][o.o.a.c.HashRing ] [node-1] Add data node to AD version hash ring: Nhl4cMrLQEK9RwNdp6T1XQ [2024-04-05T09:17:03,745][INFO ][o.o.a.c.HashRing ] [node-1] All nodes with known AD version: {Nhl4cMrLQEK9RwNdp6T1XQ=ADNodeInfo{version=2.10.0, isEligibleDataNode=true}} [2024-04-05T09:17:03,746][INFO ][o.o.a.c.HashRing ] [node-1] Rebuild AD hash ring for realtime AD with cooldown, nodeChangeEvents size 0 [2024-04-05T09:17:03,746][INFO ][o.o.a.c.HashRing ] [node-1] Build AD version hash ring successfully [2024-04-05T09:17:03,748][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:03,752][INFO ][o.o.s.OpenSearchSecurityPlugin] [node-1] Node started [2024-04-05T09:17:03,753][INFO ][o.o.s.c.ConfigurationRepository] [node-1] Will not attempt to create index .opendistro_security and default configs if they are absent. Use securityadmin to initialize cluster [2024-04-05T09:17:03,754][INFO ][o.o.a.c.ADDataMigrator ] [node-1] Start migrating AD data [2024-04-05T09:17:03,754][INFO ][o.o.a.c.ADDataMigrator ] [node-1] AD job index doesn't exist, no need to migrate [2024-04-05T09:17:03,761][INFO ][o.o.a.c.ADClusterEventListener] [node-1] Init AD version hash ring successfully [2024-04-05T09:17:03,763][INFO ][o.o.s.c.ConfigurationRepository] [node-1] Background init thread started. Install default config?: false [2024-04-05T09:17:03,763][INFO ][o.o.s.OpenSearchSecurityPlugin] [node-1] 0 OpenSearch Security modules loaded so far: [] [2024-04-05T09:17:03,768][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-05T09:17:03,768][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-05T09:17:03,768][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-05T09:17:03,778][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-05T09:17:03,779][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-05T09:17:03,783][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-05T09:17:03,783][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-05T09:17:03,784][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-05T09:17:03,784][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-05T09:17:03,784][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security) [2024-04-05T09:17:03,808][INFO ][o.o.g.GatewayService ] [node-1] recovered [0] indices into cluster_state [2024-04-05T09:17:03,836][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opensearch-sap-log-types-config/0PWKnjRGS3eIer48fGtG2w] [2024-04-05T09:17:04,297][ERROR][o.o.s.a.BackendRegistry ] [node-1] Not yet initialized (you may need to run securityadmin) [2024-04-05T09:17:04,325][INFO ][o.o.c.m.MetadataCreateIndexService] [node-1] [.opensearch-sap-log-types-config] creating index, cause [auto(sap-logtype api)], templates [], shards [1]/[1] [2024-04-05T09:17:04,371][INFO ][o.o.c.r.a.AllocationService] [node-1] updating number_of_replicas to [0] for indices [.opensearch-sap-log-types-config] [2024-04-05T09:17:04,635][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opensearch-sap-log-types-config/0PWKnjRGS3eIer48fGtG2w] [2024-04-05T09:17:04,853][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:04,913][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opensearch-observability/OTFsqhxXRX2KfABQFpqgwg] [2024-04-05T09:17:04,996][INFO ][o.o.c.m.MetadataCreateIndexService] [node-1] [.opensearch-observability] creating index, cause [api], templates [], shards [1]/[0] [2024-04-05T09:17:05,079][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opensearch-observability/OTFsqhxXRX2KfABQFpqgwg] [2024-04-05T09:17:05,136][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:05,147][INFO ][o.o.s.l.LogTypeService ] [node-1] Loading builtin types! [2024-04-05T09:17:05,163][INFO ][o.o.s.l.LogTypeService ] [node-1] Indexing [418] fieldMappingDocs from logTypes: 23 [2024-04-05T09:17:05,483][INFO ][o.o.s.l.LogTypeService ] [node-1] Loading builtin types! [2024-04-05T09:17:05,484][INFO ][o.o.s.l.LogTypeService ] [node-1] Indexing [418] fieldMappingDocs from logTypes: 23 [2024-04-05T09:17:05,496][INFO ][o.o.c.r.a.AllocationService] [node-1] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.opensearch-sap-log-types-config][0], [.opensearch-observability][0]]]). [2024-04-05T09:17:05,613][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:05,620][INFO ][o.o.o.i.ObservabilityIndex] [node-1] observability:Index .opensearch-observability creation Acknowledged [2024-04-05T09:17:05,621][INFO ][o.o.s.l.LogTypeService ] [node-1] Loading builtin types! [2024-04-05T09:17:05,622][INFO ][o.o.o.i.ObservabilityIntegrationsIndex] [node-1] observability:createMappingTemplate ss4o_metrics_template API called [2024-04-05T09:17:05,632][INFO ][o.o.s.l.LogTypeService ] [node-1] Indexing [418] fieldMappingDocs from logTypes: 23 [2024-04-05T09:17:05,710][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[validate-template-ei6fdyxkqjsjc6cpalrqbw/HTXyZC1SRH-NIFISaSKerg] [2024-04-05T09:17:05,727][INFO ][o.o.s.l.LogTypeService ] [node-1] Indexing [418] fieldMappingDocs [2024-04-05T09:17:05,765][INFO ][o.o.s.l.LogTypeService ] [node-1] Indexing [418] fieldMappingDocs [2024-04-05T09:17:05,795][INFO ][o.o.s.l.LogTypeService ] [node-1] Indexing [418] fieldMappingDocs [2024-04-05T09:17:06,104][INFO ][o.o.c.m.MetadataIndexTemplateService] [node-1] adding index template [ss4o_metrics_template] for index patterns [ss4o_metrics-*-*] [2024-04-05T09:17:06,185][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:06,194][INFO ][o.o.o.i.ObservabilityIntegrationsIndex] [node-1] observability:Mapping Template ss4o_metrics_template creation Acknowledged [2024-04-05T09:17:06,194][INFO ][o.o.o.i.ObservabilityIntegrationsIndex] [node-1] observability:createMappingTemplate ss4o_traces_template API called [2024-04-05T09:17:06,196][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opensearch-sap-log-types-config/0PWKnjRGS3eIer48fGtG2w] [2024-04-05T09:17:06,317][INFO ][o.o.c.m.MetadataMappingService] [node-1] [.opensearch-sap-log-types-config/0PWKnjRGS3eIer48fGtG2w] update_mapping [_doc] [2024-04-05T09:17:06,631][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:06,643][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[validate-template-8ylmvxyurws1mnbeom1wwq/AGSGvLarSkK5TeGjg7vhsA] [2024-04-05T09:17:06,726][INFO ][o.o.c.m.MetadataIndexTemplateService] [node-1] adding index template [ss4o_traces_template] for index patterns [ss4o_traces-*-*] [2024-04-05T09:17:06,818][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:06,829][INFO ][o.o.o.i.ObservabilityIntegrationsIndex] [node-1] observability:Mapping Template ss4o_traces_template creation Acknowledged [2024-04-05T09:17:06,830][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opensearch-sap-log-types-config/0PWKnjRGS3eIer48fGtG2w] [2024-04-05T09:17:06,943][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opensearch-sap-log-types-config/0PWKnjRGS3eIer48fGtG2w] [2024-04-05T09:17:06,975][INFO ][o.o.c.m.MetadataMappingService] [node-1] [.opensearch-sap-log-types-config/0PWKnjRGS3eIer48fGtG2w] update_mapping [_doc] [2024-04-05T09:17:07,090][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:07,098][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opensearch-sap-log-types-config/0PWKnjRGS3eIer48fGtG2w] [2024-04-05T09:17:08,678][INFO ][o.o.s.l.LogTypeService ] [node-1] Loaded [418] field mapping docs successfully! [2024-04-05T09:17:08,736][INFO ][o.o.s.l.LogTypeService ] [node-1] Indexing [22] customLogTypes [2024-04-05T09:17:08,816][INFO ][o.o.s.l.LogTypeService ] [node-1] Loaded [418] field mapping docs successfully! [2024-04-05T09:17:08,852][INFO ][o.o.s.l.LogTypeService ] [node-1] Indexing [22] customLogTypes [2024-04-05T09:17:09,143][INFO ][o.o.s.l.LogTypeService ] [node-1] Loaded [22] customLogType docs successfully! [2024-04-05T09:17:09,143][INFO ][o.o.s.SecurityAnalyticsPlugin] [node-1] LogType config index successfully created and builtin log types loaded [2024-04-05T09:17:09,450][INFO ][o.o.s.l.LogTypeService ] [node-1] Loaded [22] customLogType docs successfully! [2024-04-05T09:17:09,668][INFO ][o.o.s.l.LogTypeService ] [node-1] Loaded [418] field mapping docs successfully! [2024-04-05T09:17:09,859][INFO ][o.o.s.i.DetectorIndexManagementService] [node-1] No Old Alert Indices to delete [2024-04-05T09:17:09,879][INFO ][o.o.s.i.DetectorIndexManagementService] [node-1] No Old Finding Indices to delete [2024-04-05T09:17:11,264][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] [2024-04-05T09:17:11,268][INFO ][o.o.c.m.MetadataCreateIndexService] [node-1] [.opendistro_security] creating index, cause [api], templates [], shards [1]/[1] [2024-04-05T09:17:11,269][INFO ][o.o.c.r.a.AllocationService] [node-1] updating number_of_replicas to [0] for indices [.opendistro_security] [2024-04-05T09:17:11,311][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] [2024-04-05T09:17:11,340][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:11,358][INFO ][o.o.c.r.a.AllocationService] [node-1] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.opendistro_security][0]]]). [2024-04-05T09:17:11,374][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:11,720][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] [2024-04-05T09:17:11,741][INFO ][o.o.c.m.MetadataMappingService] [node-1] [.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] create_mapping [2024-04-05T09:17:11,798][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:11,919][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] [2024-04-05T09:17:11,925][INFO ][o.o.c.m.MetadataMappingService] [node-1] [.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] update_mapping [_doc] [2024-04-05T09:17:11,976][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:12,116][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] [2024-04-05T09:17:12,140][INFO ][o.o.c.m.MetadataMappingService] [node-1] [.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] update_mapping [_doc] [2024-04-05T09:17:12,192][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:12,351][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] [2024-04-05T09:17:12,381][INFO ][o.o.c.m.MetadataMappingService] [node-1] [.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] update_mapping [_doc] [2024-04-05T09:17:12,410][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:12,502][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] [2024-04-05T09:17:12,512][INFO ][o.o.c.m.MetadataMappingService] [node-1] [.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] update_mapping [_doc] [2024-04-05T09:17:12,549][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:12,638][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] [2024-04-05T09:17:12,655][INFO ][o.o.c.m.MetadataMappingService] [node-1] [.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] update_mapping [_doc] [2024-04-05T09:17:12,688][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:12,745][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] [2024-04-05T09:17:12,751][INFO ][o.o.c.m.MetadataMappingService] [node-1] [.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] update_mapping [_doc] [2024-04-05T09:17:12,768][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:12,854][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] [2024-04-05T09:17:12,860][INFO ][o.o.c.m.MetadataMappingService] [node-1] [.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] update_mapping [_doc] [2024-04-05T09:17:12,880][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:13,120][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] [2024-04-05T09:17:13,128][INFO ][o.o.c.m.MetadataMappingService] [node-1] [.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] update_mapping [_doc] [2024-04-05T09:17:13,147][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:13,214][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] [2024-04-05T09:17:13,222][INFO ][o.o.c.m.MetadataMappingService] [node-1] [.opendistro_security/TxBWoKglSKGnWYtnOH4rfA] update_mapping [_doc] [2024-04-05T09:17:13,242][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:13,695][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.plugins-ml-config/FwAGSvaVRWaN7Qrdqv6gpQ] [2024-04-05T09:17:13,710][INFO ][o.o.c.m.MetadataCreateIndexService] [node-1] [.plugins-ml-config] creating index, cause [api], templates [], shards [1]/[1] [2024-04-05T09:17:13,712][INFO ][o.o.c.r.a.AllocationService] [node-1] updating number_of_replicas to [0] for indices [.plugins-ml-config] [2024-04-05T09:17:13,825][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.plugins-ml-config/FwAGSvaVRWaN7Qrdqv6gpQ] [2024-04-05T09:17:13,858][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:13,955][INFO ][o.o.c.r.a.AllocationService] [node-1] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.plugins-ml-config][0]]]). [2024-04-05T09:17:14,003][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:17:14,006][INFO ][o.o.m.i.MLIndicesHandler ] [node-1] create index:.plugins-ml-config [2024-04-05T09:17:14,149][INFO ][o.o.m.c.MLSyncUpCron ] [node-1] ML configuration initialized successfully [2024-04-05T09:17:14,658][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing on REST API is enabled. [2024-04-05T09:17:14,659][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] [AUTHENTICATED, GRANTED_PRIVILEGES] are excluded from REST API auditing. [2024-04-05T09:17:14,659][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing on Transport API is enabled. [2024-04-05T09:17:14,660][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] [AUTHENTICATED, GRANTED_PRIVILEGES] are excluded from Transport API auditing. [2024-04-05T09:17:14,660][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing of request body is enabled. [2024-04-05T09:17:14,660][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Bulk requests resolution is disabled during request auditing. [2024-04-05T09:17:14,661][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Index resolution is enabled during request auditing. [2024-04-05T09:17:14,662][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Sensitive headers auditing is enabled. [2024-04-05T09:17:14,662][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing requests from kibanaserver users is disabled. [2024-04-05T09:17:14,668][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing of external configuration is disabled. [2024-04-05T09:17:14,669][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing of internal configuration is enabled. [2024-04-05T09:17:14,669][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing only metadata information for read request is enabled. [2024-04-05T09:17:14,670][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing will watch {} for read requests. [2024-04-05T09:17:14,670][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing read operation requests from kibanaserver users is disabled. [2024-04-05T09:17:14,670][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing only metadata information for write request is enabled. [2024-04-05T09:17:14,671][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing diffs for write requests is disabled. [2024-04-05T09:17:14,671][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing write operation requests from kibanaserver users is disabled. [2024-04-05T09:17:14,671][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing will watch for write requests. [2024-04-05T09:17:14,672][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] .opendistro_security is used as internal security index. [2024-04-05T09:17:14,672][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Internal index used for posting audit logs is null [2024-04-05T09:17:16,810][INFO ][o.o.s.c.ConfigurationRepository] [node-1] Hot-reloading of audit configuration is enabled [2024-04-05T09:17:16,810][INFO ][o.o.s.c.ConfigurationRepository] [node-1] Node 'node-1' initialized [2024-04-05T09:18:03,673][INFO ][o.o.i.i.ManagedIndexCoordinator] [node-1] Performing move cluster state metadata. [2024-04-05T09:18:03,674][INFO ][o.o.i.i.MetadataService ] [node-1] ISM config index not exist, so we cancel the metadata migration job. [2024-04-05T09:18:03,677][INFO ][o.o.i.i.ManagedIndexCoordinator] [node-1] Performing ISM template migration. [2024-04-05T09:18:03,678][INFO ][o.o.i.i.m.ISMTemplateService] [node-1] Doing ISM template migration 1 time. [2024-04-05T09:18:03,678][INFO ][o.o.i.i.m.ISMTemplateService] [node-1] Use 2024-04-05T08:17:03.670Z as migrating ISM template last_updated_time [2024-04-05T09:18:03,694][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[simulate_template_index_rfcyooi1rhg7xreeibiodq/tzAUS57sTAOcJN5tDSHD6A] [2024-04-05T09:18:03,708][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[simulate_template_index_rfcyooi1rhg7xreeibiodq/tzAUS57sTAOcJN5tDSHD6A] [2024-04-05T09:18:03,739][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[simulate_template_index_hgxkgzzpqtuai19sp3wcjg/_61oFtfLRR20374Y9QI79Q] [2024-04-05T09:18:03,747][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[simulate_template_index_hgxkgzzpqtuai19sp3wcjg/_61oFtfLRR20374Y9QI79Q] [2024-04-05T09:18:03,759][INFO ][o.o.i.i.m.ISMTemplateService] [node-1] ISM templates: {=[ISMTemplate(indexPatterns=[ss4o_metrics-*-*], priority=1, lastUpdatedTime=2024-04-05T08:17:03.670Z), ISMTemplate(indexPatterns=[ss4o_traces-*-*], priority=1, lastUpdatedTime=2024-04-05T08:17:03.670Z)]} [2024-04-05T09:18:03,761][INFO ][o.o.i.i.m.ISMTemplateService] [node-1] Policies to update: [] [2024-04-05T09:18:03,771][INFO ][o.o.i.i.m.ISMTemplateService] [node-1] Failure experienced when migrating ISM Template and update ISM policies: {} [2024-04-05T09:18:03,822][INFO ][o.o.c.s.ClusterSettings ] [node-1] updating [plugins.index_state_management.template_migration.control] from [0] to [-1] [2024-04-05T09:18:03,824][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:18:03,830][INFO ][o.o.i.i.m.ISMTemplateService] [node-1] Successfully update template migration setting [2024-04-05T09:19:03,674][INFO ][o.o.i.i.ManagedIndexCoordinator] [node-1] Cancel background move metadata process. [2024-04-05T09:19:03,676][INFO ][o.o.i.i.ManagedIndexCoordinator] [node-1] Performing move cluster state metadata. [2024-04-05T09:19:03,677][INFO ][o.o.i.i.MetadataService ] [node-1] Move metadata has finished. [2024-04-05T09:20:28,908][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[-5Qi2pBTT56gYD3EUOghSw/Yfx50YI4Ryi5kMD_xf0Ktg] [2024-04-05T09:20:29,078][INFO ][o.o.c.m.MetadataIndexTemplateService] [node-1] adding template [wazuh] for index patterns [wazuh-alerts-4.x-*, wazuh-archives-4.x-*] [2024-04-05T09:20:29,172][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:20:29,636][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:20:30,253][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[wazuh-alerts-4.x-2024.04.05/KMphOlaBTPuquLp0YmVTgA] [2024-04-05T09:20:30,353][INFO ][o.o.c.m.MetadataCreateIndexService] [node-1] [wazuh-alerts-4.x-2024.04.05] creating index, cause [auto(bulk api)], templates [wazuh], shards [3]/[0] [2024-04-05T09:20:30,592][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[wazuh-alerts-4.x-2024.04.05/KMphOlaBTPuquLp0YmVTgA] [2024-04-05T09:20:30,744][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:20:30,825][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:20:30,831][INFO ][o.o.c.r.a.AllocationService] [node-1] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[wazuh-alerts-4.x-2024.04.05][1], [wazuh-alerts-4.x-2024.04.05][0]]]). [2024-04-05T09:20:30,866][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:20:30,975][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[wazuh-alerts-4.x-2024.04.05/KMphOlaBTPuquLp0YmVTgA] [2024-04-05T09:20:31,058][INFO ][o.o.c.m.MetadataMappingService] [node-1] [wazuh-alerts-4.x-2024.04.05/KMphOlaBTPuquLp0YmVTgA] update_mapping [_doc] [2024-04-05T09:20:31,200][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:20:31,204][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[wazuh-alerts-4.x-2024.04.05/KMphOlaBTPuquLp0YmVTgA] [2024-04-05T09:20:31,276][INFO ][o.o.c.m.MetadataMappingService] [node-1] [wazuh-alerts-4.x-2024.04.05/KMphOlaBTPuquLp0YmVTgA] update_mapping [_doc] [2024-04-05T09:20:31,295][INFO ][o.o.c.m.MetadataMappingService] [node-1] [wazuh-alerts-4.x-2024.04.05/KMphOlaBTPuquLp0YmVTgA] update_mapping [_doc] [2024-04-05T09:20:31,384][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:20:31,387][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[wazuh-alerts-4.x-2024.04.05/KMphOlaBTPuquLp0YmVTgA] [2024-04-05T09:20:31,530][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[wazuh-alerts-4.x-2024.04.05/KMphOlaBTPuquLp0YmVTgA] [2024-04-05T09:20:44,132][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[validate-template-dka6k_z1rh-pxrewbqgjfw/Yfy7ZOpkRImonQ11M5a1lA] [2024-04-05T09:20:44,164][INFO ][o.o.c.m.MetadataIndexTemplateService] [node-1] adding index template [wazuh-states-vulnerabilities_template] for index patterns [wazuh-states-vulnerabilities] [2024-04-05T09:20:44,297][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:20:44,314][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[wazuh-states-vulnerabilities/d3nWXvspSQ-n4JvCXFdjrQ] [2024-04-05T09:20:44,352][INFO ][o.o.c.m.MetadataCreateIndexService] [node-1] [wazuh-states-vulnerabilities] creating index, cause [api], templates [wazuh-states-vulnerabilities_template], shards [1]/[0] [2024-04-05T09:20:44,395][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[wazuh-states-vulnerabilities/d3nWXvspSQ-n4JvCXFdjrQ] [2024-04-05T09:20:44,530][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:20:44,577][INFO ][o.o.c.r.a.AllocationService] [node-1] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[wazuh-states-vulnerabilities][0]]]). [2024-04-05T09:20:44,644][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:21:22,712][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[wazuh-alerts-4.x-2024.04.05/KMphOlaBTPuquLp0YmVTgA] [2024-04-05T09:21:22,859][INFO ][o.o.c.m.MetadataMappingService] [node-1] [wazuh-alerts-4.x-2024.04.05/KMphOlaBTPuquLp0YmVTgA] update_mapping [_doc] [2024-04-05T09:21:23,249][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:21:23,344][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[wazuh-alerts-4.x-2024.04.05/KMphOlaBTPuquLp0YmVTgA] [2024-04-05T09:21:23,432][INFO ][o.o.c.m.MetadataMappingService] [node-1] [wazuh-alerts-4.x-2024.04.05/KMphOlaBTPuquLp0YmVTgA] update_mapping [_doc] [2024-04-05T09:21:23,836][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:22:03,338][INFO ][o.o.j.s.JobSweeper ] [node-1] Running full sweep [2024-04-05T09:22:03,681][INFO ][o.o.i.i.PluginVersionSweepCoordinator] [node-1] Canceling sweep ism plugin version job [2024-04-05T09:22:41,418][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.kibana_1/1nhOvLrXSwWfLVmIRQDNwg] [2024-04-05T09:22:41,467][INFO ][o.o.c.m.MetadataCreateIndexService] [node-1] [.kibana_1] creating index, cause [api], templates [], shards [1]/[1] [2024-04-05T09:22:41,468][INFO ][o.o.c.r.a.AllocationService] [node-1] updating number_of_replicas to [0] for indices [.kibana_1] [2024-04-05T09:22:41,502][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.kibana_1/1nhOvLrXSwWfLVmIRQDNwg] [2024-04-05T09:22:41,534][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:22:41,586][INFO ][o.o.c.r.a.AllocationService] [node-1] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.kibana_1][0]]]). [2024-04-05T09:22:41,610][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:22:41,705][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:22:42,401][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[CI7jTWGPR0ukGqqJg9Ra0Q/cqNuGHprSymAjkrVQJs77w] [2024-04-05T09:22:42,423][INFO ][o.o.c.m.MetadataIndexTemplateService] [node-1] adding template [wazuh-statistics] for index patterns [wazuh-statistics-*] [2024-04-05T09:22:42,535][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:22:42,919][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[R6tJGqrXQI2YI1aqurPzAg/RC9NpF8-SV-XP9OhrSNseg] [2024-04-05T09:22:42,927][INFO ][o.o.c.m.MetadataIndexTemplateService] [node-1] adding template [wazuh-agent] for index patterns [wazuh-monitoring-*] [2024-04-05T09:22:42,994][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:22:44,417][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[wazuh-monitoring-2024.14w/D6K6K20dSbSZGjYiSlJyJw] [2024-04-05T09:22:44,422][INFO ][o.o.c.m.MetadataCreateIndexService] [node-1] [wazuh-monitoring-2024.14w] creating index, cause [api], templates [wazuh-agent], shards [1]/[0] [2024-04-05T09:22:44,458][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[wazuh-monitoring-2024.14w/D6K6K20dSbSZGjYiSlJyJw] [2024-04-05T09:22:44,478][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:22:44,503][INFO ][o.o.c.r.a.AllocationService] [node-1] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[wazuh-monitoring-2024.14w][0]]]). [2024-04-05T09:22:44,535][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:22:44,574][INFO ][o.o.c.m.MetadataUpdateSettingsService] [node-1] updating number_of_replicas to [0] for indices [wazuh-monitoring-2024.14w] [2024-04-05T09:23:21,125][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:55310 [2024-04-05T09:23:23,509][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:55320 [2024-04-05T09:23:24,852][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:55324 [2024-04-05T09:23:27,736][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:55324 [2024-04-05T09:23:28,573][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:34898 [2024-04-05T09:23:32,093][WARN ][o.o.s.a.BackendRegistry ] [node-1] Authentication finally failed for admin from 127.0.0.1:55324 [2024-04-05T09:23:32,680][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing on REST API is enabled. [2024-04-05T09:23:32,681][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] [AUTHENTICATED, GRANTED_PRIVILEGES] are excluded from REST API auditing. [2024-04-05T09:23:32,682][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing on Transport API is enabled. [2024-04-05T09:23:32,682][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] [AUTHENTICATED, GRANTED_PRIVILEGES] are excluded from Transport API auditing. [2024-04-05T09:23:32,682][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing of request body is enabled. [2024-04-05T09:23:32,682][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Bulk requests resolution is disabled during request auditing. [2024-04-05T09:23:32,683][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Index resolution is enabled during request auditing. [2024-04-05T09:23:32,683][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Sensitive headers auditing is enabled. [2024-04-05T09:23:32,683][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing requests from kibanaserver users is disabled. [2024-04-05T09:23:32,684][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing of external configuration is disabled. [2024-04-05T09:23:32,684][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing of internal configuration is enabled. [2024-04-05T09:23:32,684][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing only metadata information for read request is enabled. [2024-04-05T09:23:32,684][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing will watch {} for read requests. [2024-04-05T09:23:32,684][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing read operation requests from kibanaserver users is disabled. [2024-04-05T09:23:32,684][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing only metadata information for write request is enabled. [2024-04-05T09:23:32,684][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing diffs for write requests is disabled. [2024-04-05T09:23:32,685][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing write operation requests from kibanaserver users is disabled. [2024-04-05T09:23:32,685][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Auditing will watch for write requests. [2024-04-05T09:23:32,685][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] .opendistro_security is used as internal security index. [2024-04-05T09:23:32,685][INFO ][o.o.s.a.i.AuditLogImpl ] [node-1] Internal index used for posting audit logs is null [2024-04-05T09:23:41,236][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[F_jY63QkTdSiq3g7tYB9Sw/Qmt4nwVQRPWSWLsF5ODobA] [2024-04-05T09:23:41,269][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[sYbzVOuQSCaUYlOC1eybAA/RQQSs6rVSrGWEYHKCMDdoA] [2024-04-05T09:23:43,032][INFO ][o.o.c.m.MetadataUpdateSettingsService] [node-1] updating number_of_replicas to [0] for indices [wazuh-monitoring-2024.14w] [2024-04-05T09:23:57,573][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.kibana_1/1nhOvLrXSwWfLVmIRQDNwg] [2024-04-05T09:23:57,582][INFO ][o.o.c.m.MetadataMappingService] [node-1] [.kibana_1/1nhOvLrXSwWfLVmIRQDNwg] update_mapping [_doc] [2024-04-05T09:23:57,615][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:26:17,012][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.kibana_1/1nhOvLrXSwWfLVmIRQDNwg] [2024-04-05T09:26:17,058][INFO ][o.o.c.m.MetadataMappingService] [node-1] [.kibana_1/1nhOvLrXSwWfLVmIRQDNwg] update_mapping [_doc] [2024-04-05T09:26:17,264][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:26:17,272][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[.kibana_1/1nhOvLrXSwWfLVmIRQDNwg] [2024-04-05T09:27:03,341][INFO ][o.o.j.s.JobSweeper ] [node-1] Running full sweep [2024-04-05T09:30:00,461][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[wazuh-statistics-2024.14w/KVpULFkYTtKyyh33iiMQCg] [2024-04-05T09:30:00,474][INFO ][o.o.c.m.MetadataCreateIndexService] [node-1] [wazuh-statistics-2024.14w] creating index, cause [api], templates [wazuh-statistics], shards [1]/[0] [2024-04-05T09:30:00,547][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[wazuh-statistics-2024.14w/KVpULFkYTtKyyh33iiMQCg] [2024-04-05T09:30:00,567][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:30:00,582][INFO ][o.o.c.m.MetadataUpdateSettingsService] [node-1] updating number_of_replicas to [0] for indices [wazuh-monitoring-2024.14w] [2024-04-05T09:30:00,625][INFO ][o.o.c.r.a.AllocationService] [node-1] Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[wazuh-statistics-2024.14w][0]]]). [2024-04-05T09:30:00,643][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:30:00,943][INFO ][o.o.p.PluginsService ] [node-1] PluginService:onIndexModule index:[wazuh-statistics-2024.14w/KVpULFkYTtKyyh33iiMQCg] [2024-04-05T09:30:00,950][INFO ][o.o.c.m.MetadataMappingService] [node-1] [wazuh-statistics-2024.14w/KVpULFkYTtKyyh33iiMQCg] update_mapping [_doc] [2024-04-05T09:30:00,979][INFO ][o.o.a.u.d.DestinationMigrationCoordinator] [node-1] Detected cluster change event for destination migration [2024-04-05T09:32:03,345][INFO ][o.o.j.s.JobSweeper ] [node-1] Running full sweep [2024-04-05T09:37:03,352][INFO ][o.o.j.s.JobSweeper ] [node-1] Running full sweep [2024-04-05T09:40:07,092][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector ClusterManagerServiceEventMetrics is still in progress, so skipping this Interval [2024-04-05T09:40:13,342][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector OSMetrics is still in progress, so skipping this Interval [2024-04-05T09:40:12,380][WARN ][o.o.m.f.FsHealthService ] [node-1] health check of [/var/lib/wazuh-indexer/nodes/0] took [5747ms] which is above the warn threshold of [5s] [2024-04-05T09:40:14,384][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector CacheConfigMetrics is still in progress, so skipping this Interval [2024-04-05T09:40:15,889][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector OSMetrics is still in progress, so skipping this Interval [2024-04-05T09:40:19,594][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector DisksCollector is still in progress, so skipping this Interval [2024-04-05T09:40:20,805][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector ThreadPoolMetrics is still in progress, so skipping this Interval [2024-04-05T09:40:24,811][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector NetworkInterfaceCollector is still in progress, so skipping this Interval [2024-04-05T09:40:25,305][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector NodeDetails is still in progress, so skipping this Interval [2024-04-05T09:40:26,548][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector ThreadPoolMetrics is still in progress, so skipping this Interval [2024-04-05T09:40:27,576][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector HeapMetrics is still in progress, so skipping this Interval [2024-04-05T09:40:29,324][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector ShardsStateCollector is still in progress, so skipping this Interval [2024-04-05T09:40:30,421][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector NetworkInterfaceCollector is still in progress, so skipping this Interval [2024-04-05T09:40:30,996][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector ShardIndexingPressureMetricsCollector is still in progress, so skipping this Interval [2024-04-05T09:40:33,025][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector CacheConfigMetrics is still in progress, so skipping this Interval [2024-04-05T09:40:35,182][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector DisksCollector is still in progress, so skipping this Interval [2024-04-05T09:40:36,911][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector CircuitBreaker is still in progress, so skipping this Interval [2024-04-05T09:40:39,229][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector GCInfo is still in progress, so skipping this Interval [2024-04-05T09:40:41,143][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector AdmissionControlMetricsCollector is still in progress, so skipping this Interval [2024-04-05T09:40:41,657][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector ClusterManagerServiceMetrics is still in progress, so skipping this Interval [2024-04-05T09:40:42,759][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector HeapMetrics is still in progress, so skipping this Interval [2024-04-05T09:40:43,810][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector ShardIndexingPressureMetricsCollector is still in progress, so skipping this Interval [2024-04-05T09:40:44,552][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector NodeStatsMetrics is still in progress, so skipping this Interval [2024-04-05T09:40:45,112][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector CircuitBreaker is still in progress, so skipping this Interval [2024-04-05T09:40:48,324][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector NodeStatsMetrics is still in progress, so skipping this Interval [2024-04-05T09:40:52,545][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector NodeDetails is still in progress, so skipping this Interval [2024-04-05T09:40:57,072][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector GCInfo is still in progress, so skipping this Interval [2024-04-05T09:40:59,644][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector ShardsStateCollector is still in progress, so skipping this Interval [2024-04-05T09:41:01,750][INFO ][o.o.p.c.c.ScheduledMetricCollectorsExecutor] [node-1] Collector ClusterManagerServiceMetrics is still in progress, so skipping this Interval [2024-04-05T09:41:27,967][WARN ][o.o.m.f.FsHealthService ] [node-1] health check of [/var/lib/wazuh-indexer/nodes/0] took [8164ms] which is above the warn threshold of [5s] [2024-04-05T09:42:03,677][INFO ][o.o.j.s.JobSweeper ] [node-1] Running full sweep [2024-04-05T09:43:53,744][WARN ][o.o.m.f.FsHealthService ] [node-1] health check of [/var/lib/wazuh-indexer/nodes/0] took [9542ms] which is above the warn threshold of [5s] [2024-04-05T09:47:04,799][INFO ][o.o.j.s.JobSweeper ] [node-1] Running full sweep [2024-04-05T09:52:04,814][INFO ][o.o.j.s.JobSweeper ] [node-1] Running full sweep [2024-04-05T09:57:04,817][INFO ][o.o.j.s.JobSweeper ] [node-1] Running full sweep ```
Wazuh dashboard log There are some connection refused errors because I restarted the manager, and I tried to access the Dahshboard when it was not ready. ```console root@ubuntu22:/home/vagrant# cat /usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log {"date":"2024-04-05T09:22:42.155Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"} {"date":"2024-04-05T09:22:42.156Z","level":"info","location":"initialize","message":"App revision: 06"} {"date":"2024-04-05T09:22:42.156Z","level":"info","location":"initialize","message":"Total RAM: 3909MB"} {"date":"2024-04-05T09:23:41.126Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"} {"date":"2024-04-05T09:23:41.127Z","level":"info","location":"initialize","message":"App revision: 06"} {"date":"2024-04-05T09:23:41.127Z","level":"info","location":"initialize","message":"Total RAM: 3909MB"} {"data":{"config":{"data":"{}","method":"get","params":{},"url":"https://127.0.0.1:55000/manager/stats/remoted"},"message":"connect ECONNREFUSED 127.0.0.1:55000","stack":"Error: connect ECONNREFUSED 127.0.0.1:55000\n at Function.AxiosError.from (/usr/share/wazuh-dashboard/plugins/wazuh/node_modules/axios/lib/core/AxiosError.js:89:14)\n at RedirectableRequest.handleRequestError (/usr/share/wazuh-dashboard/plugins/wazuh/node_modules/axios/lib/adapters/http.js:606:25)\n at RedirectableRequest.emit (node:events:513:28)\n at RedirectableRequest.emit (node:domain:489:12)\n at ClientRequest.eventHandlers. (/usr/share/wazuh-dashboard/plugins/wazuh/node_modules/follow-redirects/index.js:14:24)\n at ClientRequest.emit (node:events:513:28)\n at ClientRequest.emit (node:domain:489:12)\n at TLSSocket.socketErrorListener (node:_http_client:502:9)\n at TLSSocket.emit (node:events:513:28)\n at TLSSocket.emit (node:domain:489:12)\n at emitErrorNT (node:internal/streams/destroy:151:8)\n at emitErrorCloseNT (node:internal/streams/destroy:116:3)\n at processTicksAndRejections (node:internal/process/task_queues:82:21)"},"date":"2024-04-05T09:50:00.699Z","level":"info","location":"Cron-scheduler"} {"data":{"config":{"data":"{}","method":"get","params":{},"url":"https://127.0.0.1:55000/manager/stats/analysisd"},"message":"connect ECONNREFUSED 127.0.0.1:55000","stack":"Error: connect ECONNREFUSED 127.0.0.1:55000\n at Function.AxiosError.from (/usr/share/wazuh-dashboard/plugins/wazuh/node_modules/axios/lib/core/AxiosError.js:89:14)\n at RedirectableRequest.handleRequestError (/usr/share/wazuh-dashboard/plugins/wazuh/node_modules/axios/lib/adapters/http.js:606:25)\n at RedirectableRequest.emit (node:events:513:28)\n at RedirectableRequest.emit (node:domain:489:12)\n at ClientRequest.eventHandlers. (/usr/share/wazuh-dashboard/plugins/wazuh/node_modules/follow-redirects/index.js:14:24)\n at ClientRequest.emit (node:events:513:28)\n at ClientRequest.emit (node:domain:489:12)\n at TLSSocket.socketErrorListener (node:_http_client:502:9)\n at TLSSocket.emit (node:events:513:28)\n at TLSSocket.emit (node:domain:489:12)\n at emitErrorNT (node:internal/streams/destroy:151:8)\n at emitErrorCloseNT (node:internal/streams/destroy:116:3)\n at processTicksAndRejections (node:internal/process/task_queues:82:21)"},"date":"2024-04-05T09:50:00.707Z","level":"info","location":"Cron-scheduler"} {"date":"2024-04-05T14:05:25.421Z","level":"info","location":"initialize","message":"Wazuh dashboard index: .kibana"} {"date":"2024-04-05T14:05:25.422Z","level":"info","location":"initialize","message":"App revision: 06"} {"date":"2024-04-05T14:05:25.422Z","level":"info","location":"initialize","message":"Total RAM: 3909MB"} ```

Screenshot from 2024-04-05 11-26-48 Screenshot from 2024-04-05 11-27-43 Screenshot from 2024-04-05 16-15-19

Conclusion

As a conclusion, no related errors were generated and everything is working fine. It is needed to ensure that this change does not break anything. We should discuss this with the rest of the teams about this change, and if so, perform a deeper testing.

sebasfalcone commented 3 months ago

Manager side

The only impact that comes to mind is that the Keystore did not support certificates other than RSA-2048. However, we no longer use certificates starting from version 4.8.1

I do not foresee any issues since these changes are included in version 4.10.0.

c-bordon commented 3 months ago

wazuh-packages branch with the changes: https://github.com/wazuh/wazuh-packages/tree/feature/1922-consider-to-increase-the-wazuh-cert-toolsh-rsa-2048-and-sha-256-to-4096-and-512

CarlosALgit commented 3 months ago

Update Report

We have to also change this command:

openssl req -new -nodes -newkey rsa:2048 -keyout ${cert_tmp_path}/${server_name}-key.pem -out ${cert_tmp_path}/${server_name}.csr  -config ${cert_tmp_path}/${server_name}.conf

In order to assure the certificates are changed to RSA-4096.

There are more commands similar to this one we have to change and test in order to include SHA-512 too.

CarlosALgit commented 3 months ago

Update Report

I've been researching through the AIO installation I did with the new certificates looking for problems with the certificates. I've activated debug mode but did not find anything out of the ordinary. I'll keep investigating this with the help of my team.

teddytpc1 commented 2 months ago

Moved to 5.0.0 as part of the DevOps overhaul.

CarlosALgit commented 2 months ago

Update Report

Link from the report update that is in the PR: https://github.com/wazuh/wazuh-packages/pull/3066#issuecomment-2271404895